On Wednesday Microsoft released a report on a Private Sector Offensive Actor (PSOA) using Windows and Adobe 0-day attacks. PSOAs are companies that offer surveillance and intrusion, usually to governments or business interests, as a form of espionage-as-a-service. Microsoft calls this latest group KNOTWEED, and has identified them as an Austria-based company called DSIRF. Most notably, KNOTWEED has been deploying a malware toolkit called Subzero, which operates via an attack chain involving Adobe Remote Code Execution (RCE) exploits and the recently patched Windows privilege escalation exploit CVE-2022-22047. This is very similar to previous attack chains that have been leveraged to deploy Subzero in 2021, which included a malicious DLL signed with DSIRF’s code-signing certificate.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased