Microsoft researchers have linked a threat group to an Austrian spyware vendor operating as a cyber mercenary, DSIRF. They are targeting European and Central American entities using Subzero malware.

DSIRF attacks

Researchers from RiskIQ have found that Knotweed’s attack infrastructure, spreading malware since February 2020, is linked to DSIRF. This includes its official website and domains possibly used to debug and stage the malware.
  • DSIRF’s own website advertises itself as an organization that provides detailed information regarding research, forensics, and data-driven intelligence services to corporations.
  • However, the group is associated with the development of Subzero, which its customers can use to hack targets' phones, networks, computers, and internet-connected devices.

In addition, Microsoft found numerous links between DSIRF and Knotweed, such as common C2 infrastructure. They have targeted law firms, banks, and strategic consultancy entities from Panama, the U.K, and Austria.

Corelump and Subzero malware

  • On infected systems, the attackers deployed Corelump, a primary payload in memory to evade detection, and Jumplump, a malware loader that downloads and loads Corelump into memory.
  • Corelump loads Subzero payload, which has several capabilities including keylogging, running remote shells, capturing screenshots, and downloading plugins from the C2 server.

Abuse of zero-day

  • Zero-days used in the Knotweed campaign include a recently patched Windows bug CVE-2022-22047, which allowed the attackers to escalate privileges, obtain system-level code execution, and escape sandboxes.
  • A year ago, Knotweed used an exploit chain of two Windows privilege escalation exploits (CVE-2021-31199/CVE-2021-31201), along with an Adobe Reader exploit (CVE-2021-28550).

What to do?

Microsoft recommends patching the exploited flaws and confirming that Microsoft Defender is updated to detect related indicators. Further, use provided IOCs to scan and investigate for any malicious activity inside the network. It is suggested to enable MFA to mitigate and review authentication activity for remote access infrastructure.
Cyware Publisher