In its fight against spyware, Microsoft no longer bothers to keep up appearances. The publisher published a blog post yesterday denouncing the actions of a “PSOA”, acronym for “Private Sector Offensive Actor” – in French, a malicious actor from the private sector.
The company dubbed the group Knotweed, but does not limit itself to a simple code name and also publishes the name of the company: DSIRF, an Austrian company which presents itself on its website as a company offering red teaming capabilities and due diligence for multinational companies in the technology, finance, retail and energy sectors.
In the eyes of Microsoft, this company would rather be classified on the side of “cybermercenaries” like companies like NSO or Candiru. Unlike the latter, however, DSIRF would not only resell malware to its customers, but would also directly take care of infiltrating certain targets.
Zero day vulnerabilities in the arsenal
Microsoft indicates in its blog that it has identified several attacks, extending from 2021 to 2022, involving the use of malware dubbed Subzero. This comes in the form of modular malware, residing only in the RAM of the device in order to limit the risk of detection. “It contains a variety of features, including keylogging, screenshots, file exfiltration, remote shell execution, and execution of arbitrary plugins downloaded from the C2 server of KNOTWEED,” Microsoft explains.
To successfully execute this malware on the targeted devices, Knotweed (or DSIRF) used several vulnerabilities to infiltrate Windows systems. In 2021, Microsoft identified two elevation of privilege vulnerabilities in Windows (CVE-2021-31199 and CVE-2021-31201) and one vulnerability in Adobe Reader (CVE-2021-28550), used in conjunction to infect a target with Subzero software.
Microsoft indicates that these various vulnerabilities were resolved by its teams in a patch released in June 2021. In 2022, Knotweed nevertheless returned to the charge by once again exploiting a privilege elevation flaw in Windows (CVE -2022-22047) and another flaw in Adobe Reader that Microsoft has failed to formally identify.
In other attacks, Microsoft also identified booby-trapped Excel documents that could install Subzero malware if the user enabled macros. Once the devices were infected with the malware, the malicious actors behind the intrusion sought to recover the passwords saved on the machine and access the emails containing possible logins and passwords.
Microsoft has managed to identify the company behind its attacks based on a range of clues collected by its security teams and those of the company RiskIQ. Based on the domain name used by a control server in one of the attacks analyzed by the Microsoft security team, RiskIQ managed to identify several IP addresses used by the same group based on “motives recurring in the use of SSL certificates and other network traces”.
The analysts managed to find several domain names used by the DSIRF company for the testing and development of the Subzero malware. Clues that match with articles from Intelligence Online, Focus Online and Netzpolitik.de, which already reported a link between the company DSIRF and the malware Subzero.