A hack-for-hire company has targeted European and Central American entities in limited attacks that used multiple zero-day flaws in Microsoft and Adobe software products, including a recently patched zero-day vulnerability in Windows.
The company (officially known as DSIRF, but which Microsoft tracks as “Knotweed,”) is an Austria-based private-sector offensive actor that ostensibly provides security and information analysis services to commercial customers. According to Microsoft, previously DSIRF has been observed both developing and selling a malware toolset called “Subzero” to third parties.
Over the last two years, Subzero was deployed through a variety of methods, including exploits for zero-day bugs in the Adobe Reader and Windows OS (CVE-2022-22047).
CVE-2022-22047 is a privilege escalation issue in the Windows Client/Server Runtime Subsystem (CSRSS), which allows arbitrary code execution with SYSTEM privileges via specially crafted program. The flaw affects the Windows versions from 8.1 to 11 21H2, and Windows Server 2008 - 2022.
Microsoft says that the targets of the Subzero attacks included law firms, banks, and strategic consultancies in Austria, the United Kingdom, and Panama.
The Subzero malware was deployed via exploit chains that leveraged several vulnerabilities.
“CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution,” Microsoft explained. “The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”
Besides CVE-2022-22047, the threat actor was observed exploiting an Adobe Reader remote code execution flaw (CVE-2021-28550), as well as three Windows privilege escalation bugs (CVE-2021-31199 and CVE-2021-31201, CVE-2021-36948).
In addition to the exploit chains, Subzero was also observed being deployed via an Excel file disguised as a real estate document, which was actually a malicious macro.
More detailed technical analysis, as well as Indicators of Compromise (IoCs) associated with the malware campaign are available in Microsoft’s report.