Researchers at Microsoft have found a threat group called Knotweed that’s targeting European and Central American organisations using a malware called Subzero. Microsoft has also linked Knotweed to an Austrian spyware vendor that operates as a cyber mercenary company named DSIRF.
Subzero uses multiple Windows and Adobe zero-day exploits, including the recently patched CVE-2022-22047 for these attacks. The July 2022 security updates from Microsoft prevent exploits against the vulnerability mentioned above, and Microsoft Defender and Microsoft Defender for Endpoint have also implemented detections against Knotweed’s malware and tools.
Like other spyware vendors, DSIRF also markets itself as an information research, forensics and data-driven intelligence services company. However, its customers use their internally developed Subzero malware to hack phones, computers and other internet-connected devices.
Knotweed targets include law firms, banks and strategic consultancy organisations worldwide, including Austria, the UK and Panama. Microsoft’s Threat Intelligence Center (MSTIC) also discovered multiple links between DSIRF and the tools used in Knotweed attacks.
These links included the command-and-control infrastructure used by the malware linked directly to DSIRF, a GitHub account linked to DSIRF, which was used in one attack, and a code signing certificate issued to DSIRF used to sign an exploit and other open-source news reports that linked the two.
Additionally, threat intelligence firm RiskIQ found that the infrastructure service for the Subzero malware was active since February 2020. The infrastructure includes DSIRF’s official website and domains (likely used to test, debug and stage the malware).
Subzero is capable of keylogging, screenshots and data exfiltration
Initial compromise begins when a shellcode script is executed on the target device from either an exploit chain or malicious Excel documents. This shell code downloads a JPEG image containing extra encrypted data at the end of the file, which is written to the user’s %TEMP% directory.
This shell code then deploys Corelump, the primary payload, and Jumplump, a malware loader that downloads and loads Corelump into the system memory from the malicious JPEG file. Corelump runs exclusively from the system memory to avoid detection.
Microsoft observed the following actions on computers infected with Knotweed malware:
- Credential dumping via comsvcs.dll.
- Setting UseLogonCredential to ‘1’ (to enable plaintext credentials).
- Running PowerShell scripts fetched from a GitHub account linked to DSIRF.
- Using Curl to download Knotweed tools from public file sharing services.
- Attempting to access emails using dumped credentials coming from a Knotweed IP address.
In addition to CVE-2022-22047, Knotweed used an exploit chain in 2021 using two Windows privilege escalation exploits, namely CVE-2021-31199 and CVE-2021-31201, as well as an Adobe Reader exploit (CVE-2021-28550). All of these vulnerabilities were patched by June 2021. The group has also been found exploiting CVE-2021-36948 –another privilege escalation flaw in Windows.
Microsoft recommends updating Microsoft Defender to update 1.371.503.0 or later to detect the related indicators, change Excel macro settings to control which macros run and under what circumstances, and enable multi-factor authentication to mitigate potentially compromised devices.