MagicWeb Detection: NOBELIUM APT Uses Sophisticated Authentication Bypass

A notorious APT group tracked as NOBELIUM (aka APT29, Cozy Bear, and The Dukes) adds new threats to their set of malicious tricks. The threat actor, responsible for a 2020 headline-making hack of Texas-based SolarWinds company, remains a highly active criminal gang, impacting a wide range of industries and organizations in public, private, and non-governmental sectors across the US, Europe, and Central Asia.

In the latest campaign, adversaries deploy MagicWeb malware to maintain access to infected environments.

MagicWeb Malware Detection

To ensure that your system is not a sitting duck for NOBELIUM hackers, download a Sigma rule released by our keen Threat Bounty developer Aytek Aytemur. The rule detects suspicious .dll loading and PowerShell command lines that the NOBELIUM uses for enumerating non-Microsoft DLLs in the GAC:

Suspicious NOBELIUM Execution by Enumerating Non-Microsoft DLLs in GAC (via cmdline)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, AWS OpenSearch, Open Distro, and Snowflake.

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the main technique.

Follow the updates of detection content related to NOBELIUM APT in the Threat Detection Marketplace repository of the SOC Prime Platform. Press the Detect & Hunt button below and unlock unlimited access to the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 26+ SIEM, EDR, and XDR platforms. If you are new to the SOC Prime Platform – an industry-leading provider of Detection-as-Code content, browse through a vast collection of Sigma rules with relevant threat context, CTI and MITRE ATT&CK references, CVE descriptions, and get updates on threat hunting trends. No registration is required! Press the Explore Threat Context button to learn more.

Detect & Hunt Explore Threat Context

MagicWeb Description

NOBELIUM APT are known to use sophisticated tools throughout their attacks. MagicWeb backdoor is the latest discovery in their arsenal, detailed by Microsoft security researchers. The post-exploitation malware allows attackers to maintain persistent access to breached environments after they’ve abused admin credentials to access an AD FS system, substituting legitimate DLL with malicious DLL.

The Active Directory Federation Server (AD FS), which refers to on-premise AD servers as opposed to Azure Active Directory in the cloud, is the business identity system targeted by MagicWeb attacks. This disclosure from the Microsoft researchers also stresses the importance of isolating AD FS and limiting access to it.

The investigation into the MagicWeb-based incidents revealed striking similarities with the FoggyWeb malware that had been a part of the NOBELIUM hackers’ weaponry since spring 2021.

In the avalanche of new threats, it is vital to stay current with the events pertaining to the cybersecurity industry. Follow the SOC Prime blog for the latest security news and updates regarding detection content releases. Are you in search of a trustworthy platform to distribute your detection content while promoting collaborative cyber defense? Join SOC Prime’s crowdsourcing program to share your Sigma and YARA rules with the community, automate threat investigation, and get feedback and vetting from a community of 28,000+ security professionals to boost your security operations.