Microsoft uncovers group that used previously unknown zero days, spyware to target Windows

The Microsoft Threat Intelligence Center (MSTIC) along with the Microsoft Security Response Center (MSRC) published a blog post identifying and detailing the malware exploits of an Austrian-based group as KNOTWEED.

According to the joint MSTIC and MSRC report, a private-sector offensive actor (PSOA) has been using multiple Windows and Adobe Zero-day exploits to develop and sell malware dubbed Subzero to attack banks, consultancy, agencies and law firms in European and Central American regions.

In its technical blog post, which is being used as written testimony submitted to the US House Intelligence Committee this week, Microsoft details the actions of DSIRF which is the official name of developers of KNOTWEED.

Despite DSIRF claims of legitimacy as a multinational risk analysis business that makes use of “a set of highly sophisticated techniques in gathering and analyzing information”, Microsoft has surveilled and tagged the bad actor as a distributor of spyware intended for unauthorized surveillance.

Multiple news reports have linked DSIRF to the malware toolset Subzero which took advantage of Zero-day exploits in Windows and Adobe Reader, in 2021 and 2022.

In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

Microsoft also details KNOTWEED exploits that involve Subzero disguising itself as an Excel file in real estate documents. “The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.”

Fortunately, Microsoft has been able to implement protections since identifying KNOTWEED but advises users to be on the lookout for other behaviors of known and unknown malware that include examining directories such as C:\Windows\System32\spool\drivers\color\ where legitimate programs my inadvertently house spyware.

If digging through registries is too in the woods for some, Microsoft also suggests some more practical high-level options such as prioritizing patching of CVE-2022-22047 when it hits machines, making sure Microsoft Defender Antivirus is up to date, changing Excel macro security settings, enabling multifactor authentication (MFA) and reviewing authentication activity from remote access infrastructures regularly.