Microsoft’s Threat Intelligence Center (MSTIC) claims it caught an Austrian company selling spyware. The malware enabled unauthorized surveillance missions targeting law firms, banks, and consultancy firms.
Microsoft published a detailed blog which claims an Austrian company named DSIRF had developed spyware known as Subzero. The company was offering the Subzero spyware, which Microsoft had dubbed Knotweed.
MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing SubZero to DSIRF.
The attack was seeded via a weaponized PDF document sent via email. Combined with a 0-zero-day Windows vulnerability, the attack gained enhanced usage rights on the target machine. Subzero itself is a rootkit that granted full control over a compromised system.
The DSIRF could compromise systems utilizing a previously unknown zero-day privilege escalation exploit for Windows and an Adobe Reader remote code execution attack. Microsoft tagged the security vulnerability with a CVE ID CVE-2022-22047 and has confirmed that it has been patched.
Companies that develop and deploy malware on a commercial basis are referred to as Private-Sector Offensive Actors (PSOA), and Microsoft also labels them as “cyber mercenaries”. It is likely that DSIRF was offering its spyware as access-as-a-service and hack-for-hire. The company was not involved in any targeting or running of the operation, indicated Microsoft.
An archived copy of the DSIRF website states the company provides services “to multinational corporations in the technology, retail, energy, and financial sectors”. The company has “a set of highly sophisticated techniques in gathering and analyzing information.”
The website also mentioned the company can perform “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities”. It has “highly sophisticated Red Teams to challenge your company’s most critical assets.”
Microsoft has essentially repeated the aforementioned information via a written testimony document it submitted to the hearing on “Combatting the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware”.
Via: The Register