In its fight against spyware, Microsoft no longer cares about keeping up appearances. The publisher published a blog post yesterday condemning the actions of “PSOA”, an acronym for “Private Sector Offensive Actor” – French for private sector attacker.
The company named the group Knotweed, but is not limited to a simple codename, and also publishes the name of the company: DSIRF, an Austrian company that presents itself on its website as a company offering Red Teaming capabilities and due diligence for multinational companies. in technology, finance, retail and energy.
In Microsoft’s eyes, this company would rather be classified as “cyber mercenaries” like companies like NSO or Candiru. However, unlike the latter, DSIRF will not only resell malware to its customers, but will also directly take care of infiltrating specific targets.
Zero-day vulnerabilities in the arsenal
Microsoft points out in a blog post that it has identified several attacks spanning 2021 to 2022 using malware dubbed Subzero. It comes in the form of modular malware that resides only in the device’s RAM to limit the risk of detection. “It contains many features, including keylogging, screenshots, file exfiltration, remote shell execution, and execution of arbitrary plugins downloaded from the C2 KNOTWEED server,” explains Microsoft.
To successfully run this malware on target devices, Knotweed (or DSIRF) used several vulnerabilities to infiltrate Windows systems. In 2021, Microsoft discovered two Windows privilege escalation vulnerabilities (CVE-2021-31199 and CVE-2021-31201) and one Adobe Reader vulnerability (CVE-2021-28550) that were used together to infect a target with Subzero software.
Microsoft indicates that these various vulnerabilities were fixed by its teams in a patch released in June 2021. In 2022, Knotweed, however, returned to responsibility, once again exploiting a privilege escalation vulnerability in Windows (CVE-2022-22047) and another vulnerability in Adobe. A reader that Microsoft has not been able to officially identify.
In other attacks, Microsoft also identified mined Excel documents that could install Subzero malware if the user enabled macros. Once the devices were infected with malware, the attackers behind the intrusion attempted to recover the passwords stored on the machine and gain access to emails containing possible logins and passwords.
Microsoft was able to identify the company behind these attacks based on a number of clues collected by its security teams and experts at RiskIQ. Based on the domain name used by the command and control server in one of the attacks analyzed by the Microsoft security team, RiskIQ was able to identify multiple IP addresses used by the same group based on “motifs recurring in the use of SSL certificates and other network footprints.” .
Analysts were able to discover several domain names used by DSIRF to test and develop Subzero malware. The clues are consistent with articles from Intelligence Online, Focus Online and Netzpolitik.de that have already reported a link between DSIRF and the Subzero malware.