Microsoft Discovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits


A cybermercenary who “ostensibly sold general security and information analysis services to commercial customers” used multiple Windows and Adobe zero-day exploits in limited and highly targeted attacks against European and Central American entities.

The company, which Microsoft describes as a Private Sector Offensive Actor (PSOA), is an Austrian company called DSIRF that is linked to the development and attempted sale of a cyberweapon called below zerowhich can be used to hack into targets’ phones, computers and internet-connected devices.

“Victims observed to date include law firms, banks and strategic consultants in countries including Austria, the UK and Panama,” the tech giant’s cybersecurity teams said in a statement. a report released Wednesday.

Microsoft is following the actor as KNOTWEED, continuing its trend of naming PSOAs using the names given to trees and shrubs. The company previously designated the name SOURGUM for Israeli spyware vendor Candiru.

KNOTWEED is known to engage in both access-as-a-service and hack-for-hire operations, offering its toolset to third parties and directly partnering in some attacks.

cyber security

While the former involves selling end-to-end hacking tools that can be used by the buyer in their own operations without the involvement of the offensive actor, hack-for-hire groups handle targeted operations on behalf of their clients.

Deploying Subzero resulted in the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a bug in zero-day elevation of privilege (CVE-2022-22047), the latter was addressed by Microsoft as part of its July Patch Tuesday updates.

“The exploits were bundled into a PDF document that was emailed to the victim,” Microsoft explained. “CVE-2022-22047 was used in KNOTWEED-related attacks for elevation of privilege. The vulnerability also allowed for sandbox evasion and system-level code execution.”

Similar attack chains seen in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe Reader flaw (CVE-2021-28550). All three vulnerabilities were resolved in June 2021.

The Subzero rollout then happened via a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic service (CVE-2021-36948), which was shut down by Microsoft in August 2021 .

Beyond these exploit chains, Excel files masquerading as real estate documents were used as a conduit to spread the malware, the files containing Excel 4.0 macros designed to initiate the infection process.

Regardless of the method employed, intrusions result in the execution of shellcode, which is used to retrieve a second stage payload called Corelump from a remote server as a JPEG image which also embeds a loader named Jumplump which, in turn, loads Corelump into memory.

The evasive implant comes with a wide range of features including keylogging, capturing screenshots, file exfiltration, running a remote shell, and running plugins arbitrary files downloaded from the remote server.

Bespoke utilities were also deployed during the attacks, such as Mex, a command-line tool for running open-source security software like Chisel, and PassLib, a tool for dumping credentials from web browsers, clients Mail and Windows Credential Manager.

Microsoft said it discovered that KNOTWEED has been actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, in addition to identifying subdomains used for malware development, Mex debugging, and staging of the Subzero payload.

cyber security

Multiple links were also discovered between DSIRF and the malicious tools used in the KNOTWEED attacks.

“These include the command and control infrastructure used by the malware directly linked to DSIRF, a GitHub account associated with DSIRF used in an attack, a code signing certificate issued to DSIRF used to sign an exploit, and other new open source reports attributing Subzero to DSIRF,” Redmond noted.

Subzero is no different from standard malware such as Pegasus, Predator, Hermit, and DevilsTongue, which are capable of infiltrating phones and Windows machines to remotely control devices and siphon data, sometimes without requiring the user to click on a malicious link.

On the contrary, the latest findings highlight a growing international market for these sophisticated surveillance technologies to carry out targeted attacks against members of civil society.

Although companies that sell commercial spyware advertise their products as a means of combating serious crime, the evidence gathered so far has revealed several cases of misuse of these tools by authoritarian governments and private organizations to spy on human rights defenders, journalists, dissidents and politicians.

Google’s Threat Analysis Group (TAG), which tracks more than 30 vendors that offer exploits or surveillance capabilities to state-sponsored actors, said the burgeoning ecosystem highlights “the extent to which commercial surveillance providers have proliferated capabilities historically used only by governments.”

“These vendors operate with deep technical expertise to develop and operationalize exploits,” TAG’s Shane Huntley said in testimony before the US House Intelligence Committee on Wednesday, adding that “its use is growing, fueled by demand from governments.” .


Comments are closed.