A Viennese company is said to have used several 0-day exploits for malware. Microsoft specialists tracked and evaluated several attacks. The company DSIRF - codenamed Knotweed - wants to see "nothing abusive" about it. The exploit Subzero should definitely come from DSIRF and probably a developed state Trojan.
As already heise.de reported, Microsoft is complaining about the Viennese company DSIRF, since they are said to have used a specially developed state Trojan themselves. Since February 2020, Subzero has been used to hack and monitor several targets, such as lawyers and banks. DSIRF does not dispute this fact, but denies misuse.
Subzero already used since 2020
In an advertising presentation, DSIRF is said to have described what its business areas look like: biometrics, IT evidence preservation, analysis of elections and election campaigns, and cyber warfare. To this extent, the Subzero Trojan is said to have been advertised as a weapon for the next generation of online warfare. Opposite portal heise.de Subzero was described as software for official use in EU countries. Somewhat convoluted for a state trojan.
In its own analysis, Microsoft describes the cyber attacks found in 2021 and 2022. For example: “In May 2022, the Microsoft Threat Intelligence Center (MSTIC) found an Adobe Reader Remote Code Execution (RCE) and a 0-Day Windows Privilege Escalation Exploit Chain used in an attack that led to the deployment of Subzero”.
Microsoft Threat Intelligence Center conducts research
The exploits were packaged in a PDF document that was emailed to the victim. Microsoft was not able to acquire the PDF or Adobe Reader RCE part of the exploit chain, but the victim's Adobe Reader version was released in January 2022, which means that the exploit used was either a 1-day exploit that was developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we have a reasonable confidence that Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched as CVE-2022-2022 in July 22047.
The Subzero attack has different stages denoting the Microsoft Defender detection name: Jumplump for the persistent loader and Corelump for the main malware. Microsoft has a detailed blog post for this with a lot of technical description.
More at Microsoft.com
About Microsoft Germany Microsoft Deutschland GmbH was founded in 1983 as the German subsidiary of Microsoft Corporation (Redmond, USA). Microsoft is committed to empowering every person and company in the world to achieve more. This challenge can only be mastered together, which is why diversity and inclusion have been firmly anchored in the corporate culture from the very beginning. As the world's leading manufacturer of productive software solutions and modern services in the age of intelligent cloud and intelligent edge, as well as a developer of innovative hardware, Microsoft sees itself as a partner to its customers to help them benefit from the digital transformation. Security and data protection have top priority when developing solutions. As the world's largest contributor, Microsoft is driving open source technology through its leading developer platform GitHub. With LinkedIn, the largest career network, Microsoft promotes professional networking worldwide.