Threat Actor, KNOTWEED Targets Microsoft Users in Europe and Central American

Industries: Consulting, Financial Services, Law | Level: Tactical | Source: Microsoft

Collective research from Microsoft security groups, the Microsoft Threat Intelligence Center (MSTIC), and the Microsoft Security Response Center (MSRC) reports of cyber mercenary group DSIRF (tracked as KNOTWEED) targeting users in Europe and Central America. Victim verticals have been identified as financial services, and consulting and law firms. The threat actors are assessed to be based in Austria using Windows and Adobe zero-day exploits. News reports for the mercenary group have tied them to the sale of malware tools, specifically Subzero, "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF." A historical review on DSIRF's website shows the group advertises themselves as an offensive security service "highly sophisticated Red Teams to challenge your company’s most critical assets.” A victim of the Subzero malware disclosed to Microsoft they were not engaged in any offensive security services with DSIRF. Initial attacks from KNOTWEED were observed to involve sending emails to targets containing a malicious PDF document that exploits Adobe Reader or weaponized Excel documents. The attackers typically utilize zero-day exploits to achieve privilege escalation. In post-compromise stages, the threat actors have been observed to obtain credentials by dumping comsvc, downloading additional PowerShell scripts, and payloads.

Anvilogic Scenario:

• KNOTWEED/DSIRF - Attack Chain

Anvilogic Use Cases:

• comsvcs.dll Lsass Memory Dump
• Rundll32 Command Line
• Modify Registry Key

‍