"Microsoft Attributes New Post-Compromise Capability to Nobelium"

Security researchers from Microsoft Threat Intelligence Center (MSTIC) have discovered a new, post-compromise capability allowing a threat actor to maintain persistent access to compromised environments.  Dubbed "MagicWeb," the capability has been attributed to Nobelium, a group commonly associated with the SolarWinds and USAID attacks.  The researchers stated that Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, NGOs, intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.  The researchers stated that MagicWeb was likely deployed during an ongoing compromise and was leveraged by Nobelium possibly to maintain access during strategic remediation steps that could preempt eviction.  The researchers noted that Nobelium has in the past employed specialized capabilities like MagicWeb to maintain persistence, such as FoggyWeb, which Microsoft discovered in September 2021.  FoggyWeb was already capable of exfiltrating the configuration database of compromised Active Directory Federated Services (AD FS) servers, as well as decrypting token-signing and token-decryption certificates and downloading and executing additional malware components.  The researchers noted that MagicWeb is now improving on FoggyWeb's capabilities by facilitating covert access directly via a malicious Dynamic-link library (DLL) that allows manipulation of the claims passed in tokens generated by an AD FS server. 

Infosecurity reports: "Microsoft Attributes New Post-Compromise Capability to Nobelium"