Cyber Mercenary leveraged Windows Zero Day in Subzero malware attack
“We welcome Congress’ emphasis on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use here in the United States and elsewhere in the world. the world.”
Researchers observed several other vulnerabilities exploited in the exploit chains to deploy Subzero, including three Windows privilege escalation bugs (CVE-2021-31199, CVE-2021-31201, and CVE-2021-3648) and an Adobe flaw Reader (CVE-2021-28550). Beyond these exploit strings, Subzero was also deployed via an Excel file that posed as a real estate document, but was actually a malicious macro.
After the initial access, a download shellcode was executed to retrieve second-stage malware from the command and control (C2) server operated by the actor; this main payload, which resided exclusively in memory to avoid detection, had a variety of capabilities, including keylogging, capturing screenshots, stealing files, and running remote shells and arbitrary plugins. Knotweed was also observed using custom utility tools it had developed called Mex and PassLib, which flushed credentials from web browsers, Windows Credential Manager, and email clients.
Microsoft’s hope in sharing information (like malware signatures) related to cyber mercenary groups like Knotweed with its customers and industry partners is to improve detection of such attacks. Other tech companies have taken similar action, with Google in June applying its Safe Browsing Protection feature to more than 30 domains linked to several for-hire hacking operations. These hacking-for-hire companies had targeted a range of accounts, including Gmail and AWS accounts, to carry out corporate espionage attacks against companies, as well as campaigns targeting human rights defenders and political activists, journalists and other high-risk users. worldwide.
The public sector is also drawing attention to spyware and cybermercenary business ventures, with the Intelligence Authorization Act, a bill recently passed by the House Intelligence Committee, including several parties that crack down on companies selling intelligence technology. surveillance. During a Wednesday House of Representatives Standing Intelligence Select Committee hearing on “Combating Threats to the National Security of the United States from the Proliferation of Foreign Commercial Spyware,” Microsoft and other companies described how they see more and more cyber mercenaries selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others.
“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use here in the United States and elsewhere in the world,” said Cristin Goodwin, general manager of Microsoft’s Digital. Security Unit, Wednesday. “We will continue to advocate for political solutions to address the dangers caused when [private-sector offensive actors] manufacture and sell weapons.