We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/FoggyWeb.A!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a malicious DLL file that loads an encrypted backdoor file (Trojan:MSIL/FoggyWeb.A!dha) in the system, decrypts it, and loads it in memory.
NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (AD FS) servers. As such, NOBELIUM uses this malware and Trojan:MSIL/FoggyWeb.A!dha to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.For more information and guidance from Microsoft, read the following:
- FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
- Breaking down NOBELIUM’s latest early-stage toolset
- Another Nobelium Cyberattack
- New sophisticated email-based attack from NOBELIUM
- GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security
- Important steps for customers to protect themselves from recent nation-state cyberattacks
- Customer guidance on recent nation-state cyberattacks
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks:
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised. Check web and email traffic to determine how the malware arrived.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities