Skip to content

S0661 FoggyWeb

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.1

Item Value
ID S0661
Associated Names
Version 1.0
Created 16 November 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library FoggyWeb can invoke the Common.Compress method to compress data with the C# GZipStream compression class.1
enterprise T1560.003 Archive via Custom Method FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.1
enterprise T1005 Data from Local System FoggyWeb can retrieve configuration data from a compromised AD FS server.1
enterprise T1140 Deobfuscate/Decode Files or Information FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.1
enterprise T1041 Exfiltration Over C2 Channel FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.1
enterprise T1083 File and Directory Discovery FoggyWeb‘s loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking FoggyWeb‘s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate version.dll during the Microsoft.IdentityServer.ServiceHost.exe execution process.1
enterprise T1105 Ingress Tool Transfer FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.1
enterprise T1036 Masquerading FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.1
enterprise T1036.005 Match Legitimate Name or Location FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb‘s loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file.1
enterprise T1106 Native API FoggyWeb‘s loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.1
enterprise T1040 Network Sniffing FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.1
enterprise T1027 Obfuscated Files or Information FoggyWeb has been XOR-encoded.1
enterprise T1027.004 Compile After Delivery FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.1
enterprise T1057 Process Discovery FoggyWeb‘s loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server’s Microsoft.IdentityServer.ServiceHost.exe process.1
enterprise T1620 Reflective Code Loading FoggyWeb‘s loader has reflectively loaded .NET-based assembly/payloads into memory.1
enterprise T1129 Shared Modules FoggyWeb‘s loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.1
enterprise T1550 Use Alternate Authentication Material FoggyWeb can allow abuse of a compromised AD FS server’s SAML token.1

Groups That Use This Software

ID Name References
G0016 APT29 1