Microsoft has published an analysis of Knotweed, a private-sector offensive actor (PSOA) that developed and used a malware called Subzero to attack Windows as well as Adobe customers by using multiple zero-day exploits. The company intends to use the analysis to inform customers and industry partners to improve detection of these attacks. The company says that the exploit, which included the one that was patched in the July 2022 security update, was used to target customers in Europe and Central America.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found the Austria-based PSOA which was carrying out limited and targeted attacks against European and Central American customers by using malware called Subzero. The malware can be used to hack targets’ phones, computers, networks as well as internet-connected devices.
As per Microsoft, Knotweed was not only selling the hacking tools to third parties but also running targeted operations. The Windows-maker was able to spot two business models — access-as-a-service and hack-for-hire — associated with the “cyber mercenaries.”
“In access-as-a-service, the PSOA sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation,” Microsoft said. In hack-for-hire, the actor runs the targeted operations based on the detailed information provided by the purchaser. Microsoft observed Knotweed-associated infrastructure in some attacks, suggesting a combination of both business tactics deployed by cyber criminals.
Citing a web archive link of DSIRF (the name by which Knotweed is publicly known), Microsoft says MSTIC found the Subzero malware being deployed through a variety of methods, including zero-day exploits in Windows and Adobe Reader, in 2021 and 2022. It says that the victims of the attacks include law firms, banks, and strategic consultancies in countries such as Austria, Panama, and the United Kingdom.
As per the website, DSIRF offers data-driven intelligence services in the form of research and forensics to corporations.
Microsoft says it will continue to monitor Knotweed’s activities “and implement protections for our customers.” The company is also encouraging quick deployment of the July 2022 Microsoft security updates to protect their systems against exploits. “Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against Knotweed’s malware and tools,” it said.