Get in Touch
MagicWeb malware targets authentication certificates
Government and non-governmental organisations (NGOs)
Severity level: High
Cyber threat group NOBELIUM (APT29), responsible for the 2020 SolarWinds attack, has released malware utilising a new capability that has been designated as MagicWeb by Microsoft. This malware contains a malicious dynamic link library (DLL) that enables the manipulation of tokens generated by the Active Directory Federation Service (ADFS). It thereby manipulates authentication certificates, allowing the creation of a backdoor within the target system and the ability to authenticate as any user account, giving them an abundance of lateral opportunities.
However, before this malware can be used effectively, the attacker must already have access to the target system via other means.
An attacker with high-level system access has the ability to plant a backdoor by replacing the legitimate DLL with the malicious MagicWeb version. If the malware remains undetected, it can provide extensive network persistence for the attacker, enabling them to covertly extract C2 data.
Hunt for malware across Windows event logs by enabling the collection of ADFS verbose logs and search for ‘Event ID 501’ to identify all extended key usage.
Customers using Microsoft Sentinel with enabled verbose mode logging can use this query to search for suspicious object identifiers (OIDs).
For customers using Microsoft 365 Defender, the following query can be run to surface all unsigned DLLs in the global assembly cache created within the past 60 days:
| where Timestamp between( ago(60d)..now() )
| where FolderPath has @”C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.”
and FileName endswith “.dll”
| join (
| where not(IsSigned)
) on SHA1
Indiscriminate Windows systems.
Containment, Mitigations & Remediations
The ability to deploy MagicWeb depends on whether the attackers already have access to highly privileged credentials of the target system. Therefore, strong credential hygiene is an essential mitigating measure to defend against the threat. This includes the use of multi-factor authentication (MFA) and NCSC recommended password protection.
Key to this malware success is the infiltration of the ADFS, therefore it is strongly advised that customers treat ADFS servers as a tier 0 asset, and a robust ADFS hardening strategy is implemented.
Indicators of Compromise
Microsoft Defender Antivirus search: Trojan:MSIL/MagicWeb.A!dha
Microsoft Defender Endpoint alert: ADFS persistent backdoor detected
NOBELIUM often customises its infrastructure per attack, thereby minimising collateral risk should their attack attributes be discovered. If MagicWeb is identified in your environment, it’s unlikely to match indicators of compromise (IOCs) from other targets. It’s recommended to use the hunting guidance provided within this report to investigate your environment.
As a Russian state-sponsored threat actor, NOBELIUM’s primary target remains western governments and NGOs. Western support for the ongoing conflict in Ukraine is exacerbating Russian cyber offensives and will likely continue for the foreseeable future.
NOBELIUM is reportedly responsible for a number of high-profile attacks in the past, including the 2020 SolarWinds attack and the development of MagicWeb’s predecessor, Foggy Web.
T1140 – Deobfuscate/Decode Files or Information
T1036 – Masquerading
T1005 – Data from Local System
T1071 – Application Layer Protocol
T1106 – Native API
T1552.004 – Unsecured Credentials: Private Keys
T1550 – Use Alternate Authentication Material