Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft uncovers group that used previously unknown zero days, spyware to target Windows
3 min. read
Published onJuly 28, 2022
published onJuly 28, 2022
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
The Microsoft Threat Intelligence Center (MSTIC) along with the Microsoft Security Response Center (MSRC)published a blog postidentifying and detailing the malware exploits of an Austrian-based group as KNOTWEED.
According to the joint MSTIC and MSRC report, a private-sector offensive actor (PSOA) has been using multiple Windows and Adobe Zero-day exploits to develop and sell malware dubbed Subzero to attack banks, consultancy, agencies and law firms in European and Central American regions.
In its technical blog post, which is being used as written testimony submitted tothe US House Intelligence Committeethis week, Microsoft details the actions of DSIRF which is the official name of developers of KNOTWEED.
Despite DSIRF claims of legitimacy as a multinational risk analysis business that makes use of “a set of highly sophisticated techniques in gathering and analyzing information”, Microsoft has surveilled and tagged the bad actor as a distributor of spyware intended for unauthorized surveillance.
Multiplenews reportshave linked DSIRF to the malware toolset Subzero which took advantage of Zero-day exploits in Windows and Adobe Reader, in 2021 and 2022.
In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.
Microsoft also details KNOTWEED exploits that involve Subzero disguising itself as an Excel file in real estate documents. “The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.”
Fortunately, Microsoft has been able to implement protections since identifying KNOTWEED but advises users to be on the lookout for other behaviors of known and unknown malware that include examining directories such as C:\Windows\System32\spool\drivers\color\ where legitimate programs my inadvertently house spyware.
If digging through registries is too in the woods for some, Microsoft also suggests some more practical high-level options such as prioritizing patching of CVE-2022-22047 when it hits machines, making sure Microsoft Defender Antivirus is up to date, changing Excel macro security settings, enabling multifactor authentication (MFA) and reviewing authentication activity from remote access infrastructures regularly.
Kareem Anderson
Networking & Security Specialist
Kareem is a journalist from the bay area, now living in Florida. His passion for technology and content creation drives are unmatched, driving him to create well-researched articles and incredible YouTube videos.
He is always on the lookout for everything new about Microsoft, focusing on making easy-to-understand content and breaking down complex topics related to networking, Azure, cloud computing, and security.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Kareem Anderson
Networking & Security Specialist
He is a journalist from the bay area, now living in Florida. He breaks down complex topics related to networking, Azure, cloud computing, and security
