Microsoft has discovered a PSOA, a cyber mercenary organization with sophisticated hiring tools that can allow threat actors to exploit Windows and Adobe vulnerabilities for malicious activities. This article looks at KNOTWEED, the identified threat, what it is, how KNOTWEED works, and how you can identify and protect yourself from KNOTWEED.
Recent times have shown that Microsoft products and services are on the radar of cybercriminals. Microsoft discovered a PSOA (private-sector offensive actor), referred to as KNOTWEED, exploiting zero-day vulnerabilities found in Windows and Adobe.
The PSOA has been involved in targeted attacks against various customers in Europe and Central America using a developed malware, codenamed Subzero. Here is a brief account of how Microsoft discovered KNOTWEED.
The KNOTWEED Discovery
KNOTWEED was discovered on July 27, 2022, by the combined efforts of Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and RiskIQ. Microsoft’s security team analyzed the threat and classified it as a PSOA based in Austria under the DSIRF organization.
PSOA’s include cyber mercenaries that are found selling malicious tools and services via business models such as hack-for-hire and cloud service models. In such models, the purchaser of the services may implement the access-as-a-service model to carry out malicious activities themselves or provide details about the target and have the provider run the hacking operations.
Microsoft’s security team labels KNOTWEED as an amalgam of these models allowing third parties to purchase and use the Subzero malware in some cases. Other cases have shown the involvement of the PSOA itself.
What is KNOTWEED?
KNOTWEED and the Subzero malware are a product of DSIRF. The website for the organization explains it as a service provider to multinational corporations in various sectors and has sophisticated means for data gathering.
The Austria-based organization has been linked with Subzero’s development. Subzero has been present since 2021 and is used in zero-day attacks in Adobe Reader and Windows. But that is not all. Subzero’s victim list is huge, including law firms, consultancies, and financial institutions in Austria, Panama, and the United Kingdom. Microsoft discovered multiple attacks, including a C2 (Command and Control) infrastructure, DSIRF-linked GitHub, code signing certificates, and more.
How DSIRF Connects to KNOTWEED
Microsoft and RiskIQ investigated the C2 domain, “acrobatrelay[.]com”. The domain provided information about the attack infrastructure and used unique SSL certificates, specific network fingerprints, and multiple IP addresses under KNOTWEED. Choopa and Digital Ocean hosted the infrastructure.
Microsoft also analyzed the DNS (Domain Name System), which revealed several domains used during the malicious activities, with direct links to “demo3[.]dsirf[.]eu”, DSIRF’s website. Several subdomains were also discovered for malware development, debugging with the Mex tool, and a Subzero server.
How Does KNOTWEED Work?
Knotweed has been employed in various ways, as it has been present since 2021.
KNOTWEED in 2021
- Privilege escalation via Vulnerabilities
In 2021, Microsoft discovered two privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in Windows that KNOTWEED used with an exploit in Adobe Reader (CVE-2021-28550). Microsoft’s security team patched the same in June 2021 and discovered these were part of a chain exploit for the deployment of the Subzero malware. Later, malicious actors also used subzero in (CVE-2021-36948), a Windows Update Medic Service vulnerability that threat actors used to force services by loading DLLs (Dynamic-link library) signed by “DSIRF GmbH.”
2. Excel Documents
Besides exploiting vulnerabilities, the Subzero malware also masqueraded as excel files about real estate documents. The excel files contained malicious macros, comments from the Kama Sutra, and obfuscated strings. The VBA macro called native Win32 functions and loaded shellcodes, allowing the threat actor to retrieve Corelump, a second-stage malware using the hacker’s C2 server.
Once loaded into the memory, Corelump evaded detection and could be used to capture screenshots, exfiltrate files, run remote shell, keylogging, and download other plugins from the C2 server. Jumploader is the other element of this equation. Corelump’s shellcode downloads a JPEG image with encrypted malicious data. Jumploader loads the Corelump data from the JPEG file into the memory and can also download it from the C2 server if Corelump is absent.
3. Tools and Services
KNOTWEED also developed and used a wide array of tools such as Mex, a command-line tool with copied security plugins, and PassLib, a password stealing tool that can affect web browsers, emails, LSAs (Local Security Authority), and credential managers.
KNOTWEED in 2022: How does Subzero affect Windows and Adobe?
Microsoft’s security team found a zero day Windows vulnerability that allowed hackers to escalate their privileges in conjunction with an RCE (Remote Code Execution) vulnerability in Adobe Reader. These vulnerabilities were part of a chained effort where the threat actors packaged the exploits into PDF documents that the attackers delivered via email.
The Windows vulnerability (CVE-2022-22047) was used with activation context issues, allowing attackers to craft assembled manifests to create malicious activation contexts and cache for arbitrary processes. KNOTWEED also used the vulnerability to steer clear of sandboxes and achieve system-level code execution.
This exploit allowed attackers to target system processes by inserting undocumented attributes into created application manifests that led to a malicious DLL file written to the disk from sandboxed Adobe Reader processes. However, Microsoft patched the vulnerability in July 2022.
How to Identify and Protect Against KNOTWEED
Microsoft also outlined various steps that you can take that can mitigate KNOTWEED, including:
- Download the security patch for CVE-2022-22047.
- Update Microsoft Defender to its latest security intelligence update version (Currently 1.371.503.0).
- Change the settings for Excel to stop XLM or VBA macros by ensuring that AMSI (Antimalware Scan Interface) is turned on.
- Enable MFA (Multi-Factor Authentication) to protect all accounts and mitigate the risk of compromised login credentials.
- Review the authentication activity to identify unwanted actors, especially for remote access infrastructure.
Microsoft Defender is completely equipped for protection against KNOTWEED. You can also identify if your system is under attack by KNOTWEED as they are detected under the following names by Microsoft Defender.
- Backdoor: O97M/JumplumpDropper.
- Trojan: Win32/Jumplump.
- Trojan: Win32/Corelump.
- HackTool: Win32/Mexlib.
- Trojan: Win32/Medcerc.
- Behavior: Win32/SuspModuleLoad.
Furthermore, you can look out for the following alerts that indicate a KNOTWEED attack or compromise for endpoint customers.
- COM Hijacking.
- Possible privilege escalation using CTF.
- KNOTWEED actor activity detected.
- WDigest configuration change.
- Sensitive credential memory read.
- Suspicious Curl behavior.
- Suspicious screen capture activity.
You can also read more about these in detail in Microsoft’s report.
Final Words
KNOTWEED is another example of how sophisticated cybercriminal and malware activities can be right under our noses. Subzero’s zero day exploit for Adobe and Windows has certainly revealed a new angle on cyber malware and how a threat evolves, evading detection. Microsoft’s submission of written testimony to the House Permanent Select Committee on Intelligence Hearing shows that the organization’s efforts are focused, and Congress should also take major steps to mitigate the collective risks of cybercrime.
Whether Microsoft has thwarted the DSIRF and its purchasers from causing more harm or the KNOTWEED threat will grow further is a question that only time will answer. Until then, you should follow the above steps for protection against KNOTWEED and follow the latest details.