A cybermercenary who “ostensibly sold general security and information analysis services to commercial customers” used several Windows and Adobe zero-day exploits in limited and highly targeted attacks against European and Central American entities.
The company, which Microsoft describes as a Private Sector Offensive Actor (PSOA), is an Austria-based company called DSIRF that is linked to the development and attempted sale of a piece of cybernetic weapon called below zerowhich can be used to hack into targets’ phones, computers and internet-connected devices.
“Victims observed to date include law firms, banks and strategic consultants in countries including Austria, the UK and Panama,” the tech giant’s cybersecurity teams said. said in a Wednesday report.
Microsoft is tracking the actor as KNOTWEED, continuing its trend of naming PSOAs using the names given to trees and shrubs. The company previously designated the name SOURGUM for Israeli spyware vendor Candiru.
KNOTWEED is known to engage in both access-as-a-service and hack-for-hire operations, offering its toolset to third parties and directly partnering in some attacks.
While the former involves the sale of end-to-end hacking tools that can be used by the buyer in their own operations without the actor’s involvement, hack-for-hire groups handle targeted operations to the account of their customers.
The deployment of Subzero is said to occur through the exploitation of several issues, including an exploit chain that exploits an Adobe Reader remote code execution (RCE) flaw and a privilege escalation bug zero days (CVE-2022-22047), the latter of them. which was addressed by Microsoft as part of its July Patch Tuesday updates.
“CVE-2022-22047 has been used in KNOTWEED-related attacks for privilege escalation. The vulnerability also made it possible to evade sandboxes and execute system-level code,” Microsoft explained.
Similar attack chains seen in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe Reader flaw (CVE-2021-28550). All three vulnerabilities were resolved in June 2021.
The Subzero rollout then happened via a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic service (CVE-2021-36948), which was shut down by Microsoft in August 2021 .
Beyond these exploit chains, Excel files masquerading as real estate documents were used as a conduit to spread the malware, the files containing Excel 4.0 macros designed to initiate the infection process.
Regardless of the method employed, intrusions result in the execution of shellcode, which is used to retrieve a second stage payload called Corelump from a remote server as a JPEG image which also embeds a loader named Jumplump which, in turn, loads the Corelump into memory.
The evasive implant comes with a wide range of features including keylogging, capturing screenshots, file exfiltration, running a remote shell, and running plugins arbitrary files downloaded from the remote server.
Bespoke utilities like Mex, a command-line tool for running open-source security plugins like Chisel, and PassLib, a tool for flushing credentials from browsers, email clients, and desktop info manager. Windows credentials were also deployed during the attacks.
Microsoft said it discovered that KNOTWEED has been actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, in addition to identifying subdomains used for malware development, Mex debugging, and staging of the Subzero payload.
Multiple links were also discovered between DSIRF and the malicious tools used in the KNOTWEED attacks.
“These include the command and control infrastructure used by the malware directly linked to DSIRF, a GitHub account associated with DSIRF used in an attack, a code signing certificate issued to DSIRF used to sign an exploit, and other new open source reports attributing Subzero to DSIRF,” Redmond noted.
Subzero is no different from standard malware such as Pegasus, Predator, Hermit, and DevilsTongue, which are capable of infiltrating phones and Windows machines to remotely control devices and siphon data, sometimes without requiring the user to click on a malicious link.
On the contrary, the latest findings highlight a growing international market for these sophisticated surveillance technologies to carry out targeted attacks against members of civil society.
Although companies that sell commercial spyware advertise their products as a means of combating serious crime, the evidence gathered so far has revealed several cases of misuse of these tools by authoritarian governments and private organizations to spy on human rights defenders, journalists, dissidents and politicians.
Google’s Threat Analysis Group (TAG), which tracks more than 30 vendors that offer exploits or surveillance capabilities to state-sponsored actors, said the burgeoning ecosystem highlights “the extent to which commercial surveillance providers have proliferated capabilities historically used only by governments.”
“These vendors have deep technical expertise to develop and operationalize exploits,” said TAG’s Shane Huntley. said in testimony before the US House Intelligence Committee on Wednesday, adding that “its use is growing, fueled by demand from governments.”