Microsoft Discovers Group That Was Using Previously Unknown Zero-Day Spyware to Target Windows

The Microsoft Threat Intelligence Center (MSTIC) along with the Microsoft Security Response Center (MSRC) published a blog post identifying and detailing malware exploits by an Austria-based group under the name KNOTWEED.

According to the joint MSTIC and MSRC report, a private sector offensive actor (PSOA) used several Windows and Adobe Zero-day exploits to develop and sell malware called Subzero to attack banks, consultants, agencies and law firms in Europe and Central Europe. American regions.

In its technical blog post, which is being used as written testimony submitted to the US House Intelligence Committee this week, Microsoft details the actions of DSIRF which is the official name of the KNOTWEED developers.


Despite DSIRF’s claims of legitimacy as a multinational risk analysis firm that uses “a highly sophisticated set of techniques to collect and analyze information”, Microsoft has been monitoring and tagging the bad actor as a spyware distributor. intended for unauthorized surveillance.

Several news items have linked DSIRF to the Subzero malware toolset that took advantage of Zero-day exploits in Windows and Adobe Reader, in 2021 and 2022.

In May 2022, MSTIC discovered an Adobe Reader remote code execution (RCE) and 0-day Windows privilege escalation exploit chain used in an attack that led to the deployment of Subzero. The exploits were bundled into a PDF document that was emailed to the victim. Microsoft was unable to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s version of Adobe Reader was released in January 2022, meaning the exploit used was either a one-day exploit developed between January and May or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we rate Adobe Reader RCE with medium confidence as a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we saw no evidence of browser-based attacks.

Microsoft also details KNOTWEED exploits that involve Subzero disguising itself as an Excel file in real estate documents. “The file contained a malicious macro that was masked by large chunks of benign Kama Sutra commentary, string obfuscation, and the use of Excel 4.0 macros.”

Enable Excel macros

Fortunately, Microsoft has been able to put protections in place since identifying KNOTWEED, but advises users to be on the lookout for other known and unknown malware behaviors, including examining directories such as C: WindowsSystem32spooldriverscolor where legitimate programs are located. my homemade spyware inadvertently.

If digging through the registries is too much in the woods for some, Microsoft also suggests more practical high-level options such as prioritizing fixes for CVE-2022-22047 when it hits machines, ensuring antivirus Microsoft Defender is up-to-date, modifying Excel macro security settings, enabling Multi-Factor Authentication (MFA), and regularly reviewing Remote Access Infrastructure authentication activity.

Share this post:

Leave a Comment