Skip links

Knotweed Euro cyber mercenaries attacking private sector, says Microsoft

Microsoft has published an analysis of a Europe-based “private-sector offensive actor” with a view to helping its customers spot signs of attacks by money-hungry gangsters.

Dubbed Knotweed by Microsoft’s Threat Intelligence Center and Security Response Center, the private sector targeting crew has made use of multiple Windows and Adobe zero-day exploits in attacks against European and Central American customers.

The group itself is, according to Microsoft, an Austria-based PSOA. While the outfit looks very above board, with a website rammed full of business-speak concerning information gathering and the company’s 20 years of expertise, according to Microsoft’s report the group is connected to the development and sale of the SubZero malware.

“Observed victims to date,” noted Microsoft, “include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”

Unsurprisingly the malware makes use of a number of exploits, including zero-days, to infiltrate the computers of victims. In 2022, exploits were found packaged in a PDF document sent via email which, when combined with a zero day Windows privilege escalation exploit, resulted in the deployment of SubZero. SubZero itself is a rootkit which grants full control over a compromised system.

The patched CVE-2022-22047 vulnerability featured in the attacks and enabled an escape from sandboxes. Naturally, Microsoft is keen that users apply the security patch, although there have been some unfortunate side effects…

“The exploit chain starts,” explained Microsoft, “with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.

“Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”

Reminder: if it looks like it came from a real estate agent…

Other attacks were tracked in 2021, utilizing vulnerabilities patched that year. One deployment was traced to an Excel file masquerading as a real estate document containing a malicious Excel 4.0 macro (obfuscated with large chunks of text from the Kama Sutra.)

Once in, the malware lurks in memory and can capture screenshots, perform keylogging, exfiltrate files, run a remote shell and download plug-ins from Knotweed’s C2 server.

Investigators have identified a host of IP addresses under the control of Knotweed. Depressingly, Microsoft noted “this infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.”

With the group’s activities ongoing, Microsoft’s only advice appears to be keeping up to date with both patching and malware detection and looking out for post-compromise actions such as credential dumping and the enabling of plaintext credentials.

In addition, a switch to multifactor authentication is recommended and a change to Excel macro security settings to ensure runtime macro scanning by Antimalware Scan Interface is enabled.

Overall, Microsoft’s analysis is both an interesting assessment of an active group and a sobering reminder of the race underway between miscreants and researchers. Sadly, it looks like the game of whack-a-mole with regard to vulnerabilities, exploits and patches is unlikely to end any time soon. ®