Read Time:1 Minute, 32 Second
The threat actor behind the SolarWinds supply chain attack has been linked to another malware that could be used to maintain access to compromised environments. This new post-exploitation malware is “highly targeted,” meaning it likely won’t impact many people.
MagicWeb, dubbed such by Microsoft’s threat intelligence teams, reiterates Nobelium’s commitment to improving its purpose-built capabilities.
What tech giants call Nobelium is a cluster of activities first seen in the December 2020 SolarWinds attack. This group overlaps with the Russian nation-state hacking group widely known as APT29, Cozy Bear, or The Dukes.
“Today, we’re sharing new information about a piece of malware used by the Nobelium actors in recent attacks. We call this malware MagicWeb,” wrote Kent Alexander and Paul Yung, Microsoft’s security leaders.
“This malware is designed for post-compromise activity. It allows an attacker to maintain persistence on a system while hiding their activity, making it harder for defenders to spot malicious behaviour. MagicWeb also allows attackers to survey a system for information of interest and exfiltrate that data.”
According to Microsoft, the malware is “highly targeted,” which means it’s not likely that many people will be impacted by it. The company has only seen a “limited number” of infections.
However, the fact that this malware exists at all is concerning. It means that the group behind the SolarWinds attack continues to evolve and find new ways to exploit systems.
Microsoft has not seen any indication that MagicWeb is part of the initial compromise vector in the recent attacks. Instead, it appears to be a post-compromise tool, meaning that the attackers have already gained access to a system before using MagicWeb.
This is a developing story, and Microsoft will continue to share information as it becomes available. In the meantime, we recommend that you take steps to protect your systems and data.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
