As a Congressional hearing meets Wednesday to discuss private contractors selling espionage spyware, and Reuters issued new reports such spyware was used to target the European Union's central lawmaking body, Microsoft is releasing details of a new campaign from an emerging contractor in the field.
"The NSO Group is the canonical example, but there are other companies included on the US Department of Commerce Entities List and a myriad of others that are selling these services that are not yet included on the List," Microsoft's Cristin Flynn Goodwin said in written testimony to the hearing.
The new threat detailed by Microsoft in a blog post Wednesday is Austrian contractor DSIRF. DSIRF has marketed itself in the past as a threat intelligence operation with "highly sophisticated techniques in gathering and analysing information, to support the decision-making" of a tech, retail, financial and energy clientele. In practice, the company has been linked to sales of espionage malware, with media reports the group has marketed its "Subzero" malware to the Kremlin.
The technical details behind Subzero had not been fully reported in the past. Microsoft says the group has been caught targeting "law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama." Microsoft contacted a victim that confirmed it had not hired penetration testing services from DSIRF.
"It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common," notes Microsoft's report.
Microsoft tracks and investigates mercenary espionage actors nicknames using nicknames taken from plants. It has been referring to DSIRF as "KNOTWEED."
Subzero appears to be distributed through a number of vectors, including vulnerabilities in Adobe and Windows products. Microsoft said it had patched at least four zero days being used by the group since 2021, with at least one zero day in Adobe used widely by the group. In one case, a malicious DLL loaded in through a chain of zero days, was actually signed to DSIRF.
DSIRF has also used VBA macros in Excel. The macros included obfuscation in the code by hiding commands in long passages of the Kama Sutra.
shellcode and Corelump. (Microsoft)
Both the vulnerability chain and the Excel macro install downloader shellcode that uses an RC4 key hidden in a JPEG file – a meme depicting Kim Jung Un wondering if he can eat a guitar – to download CoreLump, an implant capable of keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins. CoreLump installs JumpLump, a loader.
CSIRF also utilizes a custom password stealer and "Mex," software that wraps code from several common open source red team projects (Chisel, mimikatz , SharpHound3, Curl, Ping, Castle, SharpOxidResolver, Grouper2, Rubeus, PharpPrinter, Internal Monologue, SCShell, SpoolSample, Inveigh, Seatbelt, StandIn, Lockless and SharpExec) into a single tool.
Beyond the code signing misstep linking the attacks to DSIRF, DSIRF also DNS infrastructure whose IPs resolved to its main corporate website and other DSIRF-linked sites.
The Microsoft report recommends prioritizing patching the recent CVE-2022-22047, keeping antivirus up to date, and threat hunting using a full arsenal of methods it outlined.
