Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
The post MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone appeared first on Microsoft Security Blog. READ MORE HERE…
HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks.
The post HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks appeared first on Microsoft Security Blog. READ MORE HERE…
In the first of a four-part series on the NOBELIUM nation-state attack, we describe the attack and explain why enterprises should be cautious.
The post How nation-state attackers like NOBELIUM are changing cybersecurity appeared first on Microsoft Security Blog. READ MORE HERE…
In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.
The post FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor appeared first on Microsoft Security Blog. READ MORE HERE…
A new approach for malware classification combines deep learning with fuzzy hashing. Fuzzy hashes identify similarities among malicious files and a deep learning methodology inspired by natural language processing (NLP) better identifies similarities that actually matter, improving detection quality and scale of deployment.
The post Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques appeared first on Microsoft Security Blog. READ MORE HERE…
In this blog, we highlight four tools representing a unique infection chain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been observed being used in the wild as early as February 2021 attempting to gain a foothold on a variety of sensitive diplomatic and government entities.
The post Breaking down NOBELIUM’s latest early-stage toolset appeared first on Microsoft Security. READ MORE HERE…
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation.
The post New sophisticated email-based attack from NOBELIUM appeared first on Microsoft Security. READ MORE HERE…
Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
The post GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence appeared first on Microsoft Security. READ MORE HERE…