Knotweed: Microsoft denounces the activities of an Austrian company

In its fight against spyware, Microsoft no longer bothers to keep up appearances. The publisher published a blog post yesterday denouncing the actions of a “PSOA”, acronym for “Private Sector Offensive Actor” or in French, a malicious actor from the private sector. The company has dubbed the group Knotweed but is not limited to just a code name and also publishes the name of the company: DSIRF, an Austrian company which presents itself on its website as a company offering red teaming and due diligence for multinational companies in the technology, finance, retail and energy sectors.

In the eyes of Microsoft, this company would rather be classified on the side of “cyber mercenaries” like companies like NSO or Candiru. Unlike the latter, however, DSIRF would not be satisfied with reselling malicious software to its customers but would also directly take care of infiltrating certain targets.

Zero day vulnerabilities in the arsenal

Microsoft indicates in its blog that it has identified several attacks, extending from 2021 to 2022, involving the use of malware dubbed Subzero. This comes in the form of modular malware, residing only in the RAM of the device in order to limit the risk of detection. “It contains a variety of features, including keylogging, screenshots, file exfiltration, remote shell execution, and execution of arbitrary plugins downloaded from the C2 server. of KNOTWEED,” Microsoft explains.

To successfully execute this malware on the targeted devices, Knotweed (or DSIRF) used several vulnerabilities to infiltrate Windows systems. In 2021, Microsoft identified two elevation of privilege vulnerabilities in Windows (CVE-2021-31199 and CVE-2021-31201) and one vulnerability in Adobe Reader (CVE-2021-28550) used in conjunction to infect a target with the Subzero software. Microsoft indicates that these various vulnerabilities were resolved by its teams in a patch released in June 2021. In 2022, Knotweed nevertheless returned to the charge by once again exploiting a privilege elevation flaw in Windows (CVE -2022-22047) and another flaw in Adobe Reader that Microsoft has failed to formally identify.

Clue Bundle

In other attacks, Microsoft also identified booby-trapped Excel documents that could install Subzero malware if the user enabled macros. Once the devices were infected with the malware, the malicious actors behind the intrusion sought to recover the passwords saved on the machine and access the emails containing possible logins and passwords.

Microsoft has managed to identify the company behind its attacks based on a range of clues collected by its security teams and those of the company RiskIQ. Based on the domain name used by a control server in one of the attacks analyzed by Microsoft’s security team, RiskIQ managed to identify several IP addresses used by the same group based on “recurring patterns in the use of SSL certificates and other network traces”. the analysts managed to find several domain names used by the DSIRF company for the testing and development of the Subzero malware. Clues that match with articles from Intelligence Online, Focus Online and Netzpolitik.de which already reported a link between DSIRF and the Subzero malware.

Leave a Comment