Security news that informs and inspires

Cyber Mercenary Leveraged Windows Zero Day in Subzero Malware Attack


A cyber mercenary targeted European and Central American victims in “limited attacks” that leveraged multiple Microsoft and Adobe flaws - including a recently patched Windows zero-day bug - in order to deploy malware called Subzero.

Microsoft said that the cyber mercenary, which it tracks as Knotweed, is an Austria-based private-sector offensive actor called DSIRF "that ostensibly sells general security and information analysis services to commercial customers." Cyber-mercenary threat groups typically develop and offer an array of hacking and surveillance services to individuals and governments globally. This specific actor has been observed both developing and selling the Subzero malware to third parties, but also using its own infrastructure in some attacks, “suggesting more direct involvement.” Researchers have observed victims - including law firms, banks and consultant companies - in various countries, such as Austria, the UK and Panama.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks,” said Microsoft researchers in a Wednesday analysis. “These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

The Subzero malware was deployed via exploit chains that leveraged several vulnerabilities, including a zero-day Windows flaw (CVE-2022-22047) used in attacks for privilege escalation. The bug, which Microsoft patched in its regularly scheduled July security updates, exists in the Windows Client Server Runtime Subsystem (CSRSS); if exploited by an attacker, the important-severity flaw could be used to escape sandboxes and achieve system-level code execution.

An Adobe Reader remote code execution flaw was also targeted as part of the exploit chain. While they were not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, researchers assessed with “medium confidence” that this flaw is a zero-day exploit given Knotweed’s use of other zero days.

“The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process,” said researchers. “The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”

“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Researchers observed several other vulnerabilities being leveraged in exploit chains to deploy Subzero including three Windows privilege escalation bugs (CVE-2021-31199, CVE-2021-31201 and CVE-2021-3648) and an Adobe Reader flaw (CVE-2021-28550). Beyond these exploit chains, Subzero was also seen being deployed via an Excel file that masqueraded as a real estate document, but was actually a malicious macro.

After initial access, a downloader shellcode was executed that retrieved a second-stage malware from the actor-operated command-and-control (C2) server; this main payload, which resided exclusively in memory to avoid detection, had a variety of capabilities, including keylogging, capturing screenshots, stealing files, and running remote shells and arbitrary plugins. Knotweed was also observed using custom utility tools that it had developed called Mex and PassLib, which dumped credentials from web browsers, Windows credential manager and email clients.

Microsoft’s hope in sharing information (like malware signatures) linked to cyber mercenary groups like Knotweed with its customers and industry partners is to improve detection of these attacks. Other companies in the tech industry have made similar steps, with Google in June applying its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations. These hack-for-hire firms had targeted a range of accounts, including Gmail and AWS accounts, in order to carry out corporate espionage attacks against firms, as well as campaigns that target human rights and political activists, journalists and other high-risk users worldwide.

The public sector is also calling attention to spyware and cyber mercenary commercial firms, with the Intelligence Authorization Act, a bill recently passed by the House Intelligence Committee, including several parts that crack down on firms selling surveillance technology. In a Wednesday House Permanent Select Committee on Intelligence Hearing about “Combating the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware,” Microsoft and other firms described how they are increasingly seeing cyber mercenaries selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others.

“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world,” said Cristin Goodwin, general manager with Microsoft’s Digital Security Unit, on Wednesday. “We will continue to advocate around policy solutions to address the dangers caused when [private-sector offensive actors] build and sell weapons.”