Microsoft finds company behind Subzero malware

Microsoft’s security research teams have detailed the modus operandi and economic model used by an Austrian company behind the Subzero malware. Several zero-day Windows flaws have been exploited, including the recently patched CVE-2022-22047.

Subzero isn’t just the ninja fighter from the video game Mortal Kombat. It is also the name of a sophisticated malware with extensive capabilities. Recently, security research teams from Microsoft Threat Intelligence (MSTIC) and Security Response Center (MSRC) have updated the methods and techniques used by this attack vector identified as Knotweed. The Redmond firm explains that the actor who created the subzero malware is a private Austrian company, named DISRF. It is not a group of attackers or cybergang which in general does not have a storefront and does not expose itself on the Internet.

This “company” sells hacking tools or services in have a service by providing a complete end-to-end tool including a subscription, support… or in mode hack-in-hire based on the transmission of data by a client of a targeted victim to the malicious group so that the latter acts in its place. “Based on observed attacks and news reports, MSTIC believes Knotweed may mix these models: they sell Subzero malware to third parties – including Russia, according to some sources – but their infrastructure is also used in some attacks suggesting a more direct involvement,” Microsoft explains in a blog post.

Microsoft security researchers have sounded the alarm because the danger of this malware is particularly high, as are the scope of hackers. Several exploited flaws identified by the publisher, including CVE-2022-22047 corrected in the last Tuesday patch of July 2022, are used to carry out this type of attack, so it is more urgent than ever to update its systems. Two other previous Windows privilege escalation exploits were also used (CVE-2021-31199 and CVE-2021-31201) alongside another identified in Adobe Reader (CVE-2021-28550). All three were fixed in June 2021. Knotweed has also been linked to the use of a 4th zero day (CVE-2021-36948) to force the Windows Update Medic service to load a corrupt DLL. “In addition to exploit strings, another access method that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was masked by prominent Kama Sutra benign comment lines, string obfuscation, and the use of Excel 4.0 macros,” Microsoft warns.

Elaborate Malicious Capabilities

Subzero’s primary payload, Corelump (loaded by Jumplum) resides exclusively in memory to evade detection. It contains a variety of features, including keylogging, screen capture, file exfiltration, remote shell execution, and execution of arbitrary plugins downloaded from the control server and command. “Corelump also modifies the PE header fields to account for harmful changes, such as adding new exported functions, disabling Control Flow Guard, and changing the image file checksum with a value calculated from CheckSumMappedFile. These trojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM registry keys are modified for persistence (see the Behaviors section for more information on hacking COM),” Microsoft continues.

In victims or Subzero, various post-compromise actions have been observed including setting UseLogonCredential to “1” to enable plaintext credentials, credential retrieval via comsvcs.dll (rundll32.exe C: WindowsSystem32comsvcs.dll, MiniDump), attempting to access emails with purged credentials from a Knotweed IP address, using Curl to download Knotweed tools from public file shares such as vultrobjects[.]com, or running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF.

Circumvention measures to adopt urgently

Microsoft has listed several actions to be taken quickly to guard against this type of exploit and Subzero. First of all, prioritize the deployment of the CVE-2022-22047 fix, check and update its anti-viruses including Defender (version 1.371.503.0 or later), modify the Excel macro security settings to control which macros are execute and under what circumstances when a spreadsheet is opened. “Customers can also stop malicious XLM or VBA macros by ensuring that Antimalware Scanning Interface (AMSI) runtime macro scanning is enabled,” the vendor recommends. “This feature, enabled by default, is enabled if the Group Policy setting for Macro runtime scanning scope is set to Enable for all files or Enable for low-trust files”.

Other highly recommended measures include enabling Multi-Factor Authentication (MFA) to mitigate potentially compromised credentials and ensure it is enforced for all remote connectivity. “Review all authentication activity for the remote access infrastructure, with particular emphasis on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.” additionally Microsoft.

The publisher has also listed the indicators of compromise linked to this attack vector and therefore logically recommends that companies scan their environment to find their possible trace. To know :

– 78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629 SHA-256;
– 0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f;
– 441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964;
– cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b;
– fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc;
– 5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206;
– 7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc;
– 02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d;
– 7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d;
– afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec;
– 894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53;
– 4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431;
– c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d;
– fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca;
– e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6;
– acrobat relay[.]com (Domain C2);
– finconsult[.]cc (Domain C2);
– realmetaldns[.]com (Domain C2).

Leave a Comment