Vienna-based firm DSIRF exploited Windows and Adobe zero-day exploits against European and Central American companies.
Security researchers at Microsoft claim a private-sector offensive actor (PSOA) from Austria developed malware dubbed ‘Subzero’ to target law firms, financial institutions, and consultancies in countries such as Austria, the UK, and Panama.
PSOAs are sometimes called cyber mercenaries for selling offensive hacking tools. Microsoft dubbed the group behind Subzero’ Knotweed.’ Researchers believe that the PSOA in question sold Subzero malware to third parties and, in some cases, were intimately involved in the attacks.
“Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity,” reads Microsoft’s blog.
Researchers claim that they’ve discovered links between DSFIR, the exploits, and malware used in the attacks. For example, DSFIR command-and-control (C2) infrastructure and DSFIR-associated GitHub account were employed in an attack.
Microsoft researchers say they spotted Subzero in the wild as recently as May 2022 when attackers employed Adobe’s remote code execution (RCE) vulnerability together with Windows-related zero-day for privilege escalation.
The Windows zero-day assigned CVE-2022-22047 was patched only in July. According to Microsoft, the vulnerability ‘is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows.’
In other instances, Subzero was deployed via an Excel document masquerading as a real estate document containing a malicious Excel 4.0 macro. After breaching the system, the malware can start ‘keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins.’
Microsoft urges its clients to apply the latest security updates to mitigate the zero-day exploits threat actors used to penetrate victim devices.
Vienna-based DSIRF, or Decision Supporting Information Research Forensic, self describes as a provider of ‘mission-tailored services in the fields of information research, forensics as well as data.’
Reuters claims that in a copy of an internal presentation published last year by German news website Netzpolitik, DSIRF advertises Subzero as a ‘next generation cyber warfare’ tool that can take full control of a target’s PC, steal passwords, and reveal its location.
Another PSOA, the Israeli firm NSO Group, has run into trouble after it was discovered its spyware was used to target specific devices. For example, Apple sued NSO Group for developing an iPhone-targeting tool, Pegasus.
More from Cybernews:
Subscribe to our newsletter