A cyber mercenary who purportedly offers comprehensive security and information analysis services to business customers” used multiple Windows and Adobe zero-day bugs in narrowly focused operations against European and Central American companies. DSIRF is an Austrian group affiliated with the research and purported sale of a cyberweapon known as Subzero, which can be used to hack targets’ phones, laptops, and internet-connected gadgets.
Microsoft is following the actor under the alias KNOTWEED, keeping its practice of naming PSOAs after plants and bushes. Candiru, an Israeli spyware seller, was formerly given the moniker SOURGUM by the corporation. KNOTWEED has been linked to access-as-a-service and hack-for-hire activities, giving its arsenal to other parties and outright identifying itself with particular assaults.
While the former involves selling end-to-end hacking tools that the purchaser may employ in their campaigns without affecting the offensive actor, hack-for-hire firms handle the specified operation on behalf of their customers. Subzero was then deployed using the fourth attack, this time exploiting a privilege escalation vulnerability in the Windows Update Medic Service, which Microsoft patched in August 2021.
Beyond these attack chains, Excel files posing as real estate papers have been used to spread malware, with the files including Excel 4.0 macros designed to initiate the replication of the virus. Whatever technique is leveraged, the breaches end with the launch of shellcode, which is used to download a second-stage weapon called Corelump from a cloud host in the form of a JPEG image that also encapsulates a launcher called Jumplump, which then loads Corelump into the cache.
The thriving ecosystem emphasizes the severity to which commercial surveillance vendors have proliferated capabilities historically only used by governments, according to Google’s Threat Analysis Group (TAG), which tracks numerous vendors that sell exploits or satellite surveillance to legislative stakeholders.
– Aarav Gupta
Edited By: Sabrina Bath