MagicWeb: New Post-Compromise Malware Detected by Researchers

Security researchers at Microsoft detected a new malware “MagicWeb” with post-exploitation abilities to have continuous access in compromised environments. The organization linked MagicWeb to ‘NOBELIUM’ – a highly active threat actor targeting government, non-government, and intergovernmental organizations among others. MagicWeb is reported to have infected the US, Europe, and Central Asia systems.

The working of MagicWeb

With the help of highly privileged credentials, NOBELIUM used MagicWeb to gain administrative privileges in the victims’ systems. The victim, in this case, was the Active Directory Federation Services (ADFS). On observing the sequence of activities by NOBELIUM, the report concluded that MagicWeb was used to gain access and complete stealth actions of cyber espionage.

On gaining access, NOBELIUM replaced the system’s original Dynamic Link Library (DLL) with MagicWeb, which employed the stolen credentials to manipulate the user authentication certificates. However, it did not use the signing certificates used in attacks such as Golden SAML that enabled attackers to bypass ADFS authentication to access federated services as the ADFS itself loaded it.

MagicWeb – A malicious DLL file

The Microsoft advisory elaborated that MagicWeb, a malicious Dynamic Link Library (DLL), could be loaded by more extensive programs to carry out tasks with system programs. “MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (ADFS) server”, the advisory read.

The backdoor that executed files using the DLL files was discovered by Microsoft’s Detection Research Team (DART), MSTIC and Microsoft 365. DLL files contained code and data that could work with larger programs in the system to handle specific functions.

Research on MagicWeb

The Microsoft Threat Intelligence Center stipulated that the MagicWeb attack was used in the middle of another compromise of its systems and was most likely launched to continue NOBELIUM’s access as per its strategic interests.