Microsoft caught Austrian spyware group

On July 29, 2022By Garmin Philip

knot weed

Microsoft has unmasked an Austrian provider of spyware that previously posed as a security company. The group is responsible for the Subzero malware.

news

CPU, RAM, Malware & Co.: Fix PC problems - this is how it works — Microsoft has caught the malware.

That Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) have one Austrian spyware group discovered, which used Windows and Adobe zero-day exploits in targeted attacks against European and Central American customers. The group is called “Knotweed” by Microsoft, but calls itself DSIRF and uses a malware called Subzero, which Microsoft is now taking action against.

Knotweed was not only directly involved in attacks, but had theirs Malware also passed on to third parties, so that they can carry out their own attacks. The MSTIC recognized this from the attacks observed. In the years 2021 and 2022 there have been a large number of victims, including law firms, banks and strategic consulting companies in countries such as Austria, Great Britain and Panama.

On your own website the DSIRF presents itself as Cyber security company and offers various services for risk analysis, which should indicate a reputable company. However, Microsoft has identified several links between DSIRF and the exploits and malware used in the attacks. This includes the command and control infrastructure used by the malware, a GitHub account associated with DSIRF, a code-signing certificate issued to DSIRF, and other open-source news reports linking Subzero to DSIRF.

In the past, Knotweed used one, among others Zero-day vulnerability in Adobe Reader application for spreading Subzero. The exploits were packaged in a PDF document that was emailed to the victim. They also exploit the vulnerabilities CVE-2022-22047, CVE-2022-22047, CVE-2021-31199, CVE-2021-31201 and CVE-2021-28550 and CVE-2021-36948 that have already been patched by Microsoft.

Microsoft will continue to monitor the spyware group’s activities and implement protection measures for its customers. customers should on possible malicious Activities such as running PowerShell scripts from Internet locations, modifying commonly abused registry keys such as HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest, and LSASS credential dumping via minidumps.

In addition, it is recommended that Installing Microsoft July 2022 security updates to protect their systems from CVE-2022-22047 attacks. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against Knotweed’s malware and tools.