Magicweb

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
MagicWeb is a sophisticated malware that was first reported by Microsoft in August 2022. It was developed and deployed by the threat group Nobelium, also known as Cozy Bear or APT29, who are believed to be associated with the Russian Foreign Intelligence Service (SVR). MagicWeb is designed to exploit Active Directory Federation Services (AD FS), enabling the attackers to bypass normal authentication processes and gain persistent access to compromised systems. This malware is built on previous post-exploitation tools like FoggyWeb, which were capable of stealing certificates from AD FS servers. The modus operandi of MagicWeb involves the initial compromise of a network, after which it deploys its highly advanced post-compromise capabilities. Once inside a system, it implants a backdoor on the AD FS server, then uses specially crafted certificates to bypass the usual authentication process. This gives the actors the ability to authenticate as anyone, thereby maintaining persistent access within compromised systems and carrying out espionage activities. The threat actors behind MagicWeb have displayed an ability to change their tradecraft on almost every machine they infiltrate, demonstrating a high level of sophistication. MagicWeb's deployment has been linked to significant cyberattacks, including the SolarWinds breach. Its ability to use highly privileged certifications to move laterally through a network underscores the increasing sophistication of Advanced Persistent Threat (APT) groups. These groups have increasingly targeted technology supply chains and identity systems, posing a significant cybersecurity challenge. The development and deployment of MagicWeb highlight the importance of setting up device validation rules to prevent unauthorized access and the need for continuous vigilance and adaptation in cybersecurity strategies.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FoggyWeb
1
FoggyWeb is a type of malware recently discovered by Microsoft that hackers are using to remotely steal network admin credentials. The malware, which has been in use since as early as April 2021, is employed by the hacker group NOBELIUM to remotely exfiltrate the configuration database of compromise
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Backdoor
Malware
Implant
Exploit
Svr
Windows
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cozy BearUnspecified
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Magicweb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Russian cyberespionage group APT29 targeting cloud vulnerabilities
CERT-EU
5 months ago
Russia's Cozy Bear spotted diving into cloud environments
CISA
5 months ago
SVR Cyber Actors Adapt Tactics for Initial Cloud Access | CISA
CERT-EU
8 months ago
Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog
CERT-EU
a year ago
Microsoft warns of rising NOBELIUM credential attacks on defense sector
DARKReading
a year ago
MagicWeb Mystery Highlights Nobelium Attacker's Sophistication