The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The group targets entities in Europe and Central America with a surveillance tool dubbed Subzero.
The DSIRF website states the provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”
Microsoft states that multiple news reports have linked the company to the Subzero malware toolset used to hack a broad range of devices, phones, computers, and network and internet-connected devices.
The researchers found evidence that links DSIRF to the Knotweed’s operation, including the C2 infrastructure used by Subzero, and code signing certificate issued to DSIRF that is used to sign an exploit.
Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies.
MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.
Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
Microsoft researchers observed a variety of post-compromise actions on infected systems:
Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.
One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.
“In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.” reads the report. £We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.”
Below is the list of recommendations published by Microsoft for its customers to prevent Subzero infections:
“Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.” concludes Microsoft.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Subzero malware)