Microsoft details AD FS malware from SolarWinds actors

Microsoft detailed new malware Monday from the espionage group behind the massive SolarWinds campaign.

The espionage group, which Microsoft calls Nobelium, has been attributed to Russian intelligence by the United States. They burst onto the scene late December by exploiting unknown vulnerabilities in the SolarWinds IT management product and other products. The U.S. responded with sanctions in April. New campaigns from the group have popped up several times since then.

In the latest entry to Nobelium's catalog, Microsoft has seen the group load a passive backdoor Microsoft named "FoggyWeb" into Active Directory Federated Service.

After compromising systems, Nobelium uploads the backdoor (encrypted as Windows.Data.TimeZones.zh-PH.pri) and a loader (version.dll) into the AD FS folder. A command and control server communicates with the backdoor using HTTP GET and POST requests. Three different tailored HTTP GET commands will retrieve configuration information, the token signing certificate and the token decryption certificate. A specific POST command will include encrypted .NET source code for the backdoor to run.

"Microsoft has notified all customers observed being targeted or compromised by this activity, " the company wrote in its blog post announcing the discovery.

The blog post also contains indicators of compromise and mitigation advice.