IAM Technologies

Microsoft details AD FS malware from SolarWinds actors

The Microsoft logo is illuminated at its booth at the GSMA Mobile World Congress 2019 on Feb. 26, 2019, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Microsoft detailed new malware Monday from the espionage group behind the massive SolarWinds campaign.

The espionage group, which Microsoft calls Nobelium, has been attributed to Russian intelligence by the United States. They burst onto the scene late December by exploiting unknown vulnerabilities in the SolarWinds IT management product and other products. The U.S. responded with sanctions in April. New campaigns from the group have popped up several times since then.

In the latest entry to Nobelium's catalog, Microsoft has seen the group load a passive backdoor Microsoft named "FoggyWeb" into Active Directory Federated Service.

After compromising systems, Nobelium uploads the backdoor (encrypted as Windows.Data.TimeZones.zh-PH.pri) and a loader (version.dll) into the AD FS folder. A command and control server communicates with the backdoor using HTTP GET and POST requests. Three different tailored HTTP GET commands will retrieve configuration information, the token signing certificate and the token decryption certificate. A specific POST command will include encrypted .NET source code for the backdoor to run.

"Microsoft has notified all customers observed being targeted or compromised by this activity, " the company wrote in its blog post announcing the discovery.

The blog post also contains indicators of compromise and mitigation advice.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.