At a glance.
- FoggyWeb malware tied to Nobelium.
- New Turla backdoor.
- BloodyStealer targets gamers.
- Colossus ransomware surfaces.
FoggyWeb malware tied to Nobelium.
Microsoft has published its findings on a newly discovered post-exploitation backdoor used by the Nobelium threat actor (also known as Cozy Bear, attributed to Russia's SVR foreign intelligence service). The malware, which Microsoft calls "FoggyWeb," is designed to steal sensitive information from Active Directory FS servers and can download additional payloads:
"NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (AD FS) servers. Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021."
New Turla backdoor.
Cisco Talos has spotted a backdoor used by the Russian threat actor Turla (also known as Venomous Bear) against targets in Afghanistan, Germany, and the US. The researchers believe the backdoor is installed alongside a primary malware strain in order to maintain persistence if the primary malware is removed:
"Due to this backdoor's limited functionality and simple coding style, it is not easy for anti-malware systems to detect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at least 2020. This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban’s recent takeover of the government there and the pullout of Western-backed military forces. Based on forensic evidence, Cisco Talos assesses with moderate confidence that this was used to target the previous Afghan government."
BloodyStealer targets gamers.
Kaspersky describes "BloodyStealer," a Trojan that's been used against a range of targets, but which is seen as particularly risky to gamers. The malware has all the expected capabilities of a banking Trojan, but it also focuses on stealing information about gaming platforms, including Steam, Epic Games Store, EA Origin, and others. The malware's proprietors are choosy about their customers, and appear to only do business with "VIP members of underground forums."
Colossus ransomware surfaces.
Researchers at ZeroFox have published a report on "Colossus," a newly observed ransomware strain that was recently used in an attack against an automotive dealer group in the US:
"As part of routine monitoring, ZeroFox detected and extracted a ransom note titled “HOW_TO_RECOVER_FILES.Colossus.txt” from a malware sample uploaded to the Hatching Triage malware analysis service on September 24, 2021. The note contained a link with the domain colossus[.]support and a victim key to access a private “Support Room” page to engage the attacker. The page notes a U.S.-based automotive group of dealerships as the target and threatens to dump 200 GB of exfiltrated data if an amount of USD 400,000 is not paid. A countdown timer shows the ransom is scheduled to increase to USD 600,000 in about 3 days. A suspected representative of the targeted company with the anonymous username “USER912058085” appears to have entered the chat room and initiated negotiations. At this time, the attacker has shared four sample files of stolen data hosted at the file sharing service ibb[.]co and is awaiting a further response."
The researchers haven't seen any references to this ransomware in criminal fora, but they note that its "operators appear to be at least highly familiar if not directly associated with other existing ransomware-as-a-service (RaaS) groups based on their tactics, techniques, and procedures." Specifically, the researchers observe that "[t]heir ransom note is similar in structure and content to other known ransomware products, including some EpsilonRed/BlackCocaine and REvil/Sodinokibi samples. This could indicate using a similar builder for the ransomware files, and follows a pattern of ransomware groups disappearing and reappearing with a rebranded name and similar toolsets."