Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

FoggyWeb

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)
ID: S0661
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 Nov 2021
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1560 .002 Archive Collected Data: Archive via Library

FoggyWeb can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.(Citation: MSTIC FoggyWeb September 2021)

.003 Archive Collected Data: Archive via Custom Method

FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1027 .004 Obfuscated Files or Information: Compile After Delivery

FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.(Citation: MSTIC FoggyWeb September 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

FoggyWeb has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021)

Enterprise T1552 .004 Unsecured Credentials: Private Keys

FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)

Groups That Use This Software

ID Name References
G0016 APT29

(Citation: MSTIC FoggyWeb September 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.