A private-sector offensive actor (PSOA) was discovered by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) using a number of Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against customers in Europe and Central America. Subzero malware was created by the PSOA, which MSTIC records as KNOTWEED, and deployed in these attacks.
This blog post describes Microsoft’s research of the KNOTWEED activity that was noticed and associated malware that was employed in targeted attacks against our clients. To help with the discovery of these assaults, we provide this information to our clients and business partners. Customers are urged to implement the July 2022 Microsoft security patches as soon as possible to safeguard their systems from vulnerabilities utilising CVE-2022-22047. The malware and tools used by KNOTWEED are now detected by Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
PSOAs, also known as cyber mercenaries according to Microsoft, offer a range of business models for the sale of hacking tools or services. Access-as-a-service and hacking-for-hire are two typical business strategies for this category of actor. With access-as-a-service, the PSOA is not involved in the targeting or management of the operation; instead, the actor offers complete end-to-end hacking tools that the customer can use in operations. In a hack-for-hire, the buyer gives the actor specific information, and the actor subsequently manages the specified actions. Based on observed assaults and news reports, MSTIC theorises that KNOTWEED may combine these models: they have been seen employing KNOTWEED-related infrastructure in certain attacks while also selling the Subzero malware to third parties, indicating a more direct involvement.
Who is KNOTWEED?
KNOTWEED is a PSOA with a base in Austria called DSIRF. According to the DSIRF website [web archive link], the organisation offers services “to global organisations in the technology, retail, energy, and financial sectors” and boasts “a set of extremely sophisticated processes in obtaining and evaluating information.” They openly advertise a range of services, including “very advanced Red Teams to question your company’s most essential assets” and “an enhanced due diligence and risk analysis process through offering a comprehensive understanding of individuals and entities.”
But numerous news stories have connected DSIRF to the creation and alleged selling of a malware toolkit known as Subzero. In 2021 and 2022, MSTIC discovered the Subzero virus being spread through a number of techniques, such as 0-day vulnerabilities in Windows and Adobe Reader. Microsoft’s discussions with a Subzero victim indicated that they had not hired red teams or penetration testers, and they acknowledged that the activity was illegal and malicious as part of our research into the usefulness of this virus. Law firms, banks, and strategic consultants in nations including Austria, the United Kingdom, and Panama are just a few of the victims that have been reported thus far.
Because international targeting is prevalent, it’s crucial to keep in mind that the identification of targets in one nation does not imply that a DSIRF customer resides in that nation.
Multiple connections between DSIRF and the exploits and malware employed in these attacks have been discovered by MSTIC. These include DSIRF-related GitHub accounts being used in attacks, a code signing certificate provided to DSIRF being used to sign an exploit, command-and-control infrastructure used by the malware directly linked to DSIRF, and other open-source news sources attributing Subzero to DSIRF.
Observed actor activity
KNOTWEED initial access
MSTIC discovered KNOTWEED’s Subzero virus being used in a number of different ways. The subsequent sections refer to the various Subzero stages by their names as detected by Microsoft Defender: Corelump for the primary malware and Jumplump for the persistent loader.
KNOTWEED exploits in 2022
In an assault that resulted in the deployment of Subzero in May 2022, MSTIC discovered the exploitation of an Adobe Reader remote code execution (RCE) vulnerability as well as a 0-day Windows privilege escalation exploit chain. The exploits were contained in a PDF file that was emailed to the victim. The victim’s version of Adobe Reader was issued in January 2022, indicating that the attack utilised was either a 1-day vulnerability created between January and May, or a 0-day exploit. Microsoft was unable to obtain the PDF or Adobe Reader RCE element of the exploit chain.
We determine that the Adobe Reader RCE is a 0-day exploit with medium confidence based on KNOTWEED’s widespread exploitation of other 0-days. The Windows attack was examined by MSRC, identified as a 0-day exploit, and patched as CVE-2022-22047 in July 2022. Interestingly, despite the fact that we haven’t seen any proof of browser-based attacks, there were hints in the Windows exploit code that it was also intended to be used from Chromium-based browsers.
The Client Server Run-Time Subsystem (CSRSS) on Windows has an issue with activation context caching, which is connected to the CVE-2022-22047 vulnerability. On a broad scale, the flaw might allow an attacker to supply a specially written assembly manifest that would enable the creation of a malicious activation context in the activation context cache for any process. The following time the process is launched, this cached context is used.
For privilege escalation, KNOTWEED-related attacks made use of CVE-2022-22047. Additionally, the flaw allowed system-level code execution and the ability to bypass sandboxes (with some restrictions, as will be covered later). The malicious DLL is first written to disc by the sandboxed Adobe Reader renderer process to begin the exploit chain. Then, by including an application manifest with an undocumented attribute that indicated the path of the malicious DLL, the CVE-2022-22047 vulnerability was utilised to target a system process. The malicious DLL was then loaded from the specified path when the system process was subsequently launched using the attribute in the malicious activation context. This allowed system-level code execution.
It’s crucial to remember that in order to exploit CVE-2022-22047, attackers must be able to write a DLL to disc. The capacity to write out files where the attacker cannot control the path is not seen as dangerous in the threat model of sandboxes, such as those of Adobe Reader and Chromium. So these sandboxes don’t prevent the CVE-2022-22047 vulnerability from being exploited.
KNOTWEED infrastructure connections to DSIRF
RiskIQ broadened its understanding of KNOTWEED’s attack infrastructure by pivoting from acrobatrelay[.com], a known command-and-control domain discovered by MSTIC. Using certain patterns in the use of SSL certificates as well as other network fingerprints linked with the organisation and that domain, RiskIQ was able to pinpoint a large number of additional IP addresses under KNOTWEED’s control. This infrastructure has been actively distributing malware since at least February 2020 and is still doing so as of the time of this writing. It is primarily hosted by Digital Ocean and Choopa.
After that, RiskIQ used passive DNS information to ascertain the domains those IPs resolved to while they were malicious. This procedure produced a number of domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s website), and a number of subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).
Detection and prevention
Microsoft will keep an eye on KNOTWEED behaviour and put safeguards in place for our consumers. Microsoft customers are now being protected by the detections and IOCs listed below across all of our security solutions. Below are some additional sophisticated hunting queries that can be used by businesses to increase their defences and learn more about these attacks.
The Jumplump loader DLLs are dropped by Corelump in the C: WindowsSystem32spooldriverscolor directory.
It is important to keep an eye on any PE files in the folder because it is a common directory used by both malware and some trustworthy programmes.
Jumplump modifies COM registry keys to point to the Jumplump DLL in C:WindowsSystem32spooldriverscolor in order to maintain persistence. To identify this method, it is important to keep an eye out for changes to the system’s default CLSID values (for example, the default value for HKLMSOFTWAREClassesCLSIDGUIDInProcServer32).
Recommended customer actions
The following security recommendations can be implemented to minimise the approaches employed by the actor and outlined in the section on observed actor activity:
- Patching for CVE-2022-22047 should be given top priority by all customers.
- To identify the relevant signs, make sure Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later.
- Investigate whether they exist in your environment and make an assessment of any potential intrusions using the indicators of compromise that are presented.
- To manage which macros execute and under what circumstances when you open a workbook, modify the Excel macro security settings. Via turning on runtime macro scanning by Antimalware Scan Interface (AMSI), customers can also prevent harmful XLM or VBA macros from being used. If the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files,” this feature—which is enabled by default—is activated.
- To reduce the risk of credentials being stolen, enable multifactor authentication (MFA) and make sure that it is enforced for any remote connectivity. Note: To secure accounts, Microsoft highly advises all customers to download and use password-less solutions like Microsoft Authenticator.
- To ensure validity and look into any unusual activity, review all authentication activity for the remote access infrastructure, paying special attention to accounts set up using single factor authentication.