Microsoft has linked the efforts of the threat group Knotweed to an Austrian spyware vendor. The group has so far used the malware dubbed ‘SubZero’ to attack groups in Europe and Central America. The Subzero malware, as used by Knotweed, can be used to hack a target’s phone, computers, network, and internet-connected devices.
DSRIF markets itself as a company that provides information research, forensics, and data-driven intelligence services to corporations. Yet, Microsoft has found multiple associations between the two apparently dissimilar groups which establishes a concrete link.
“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,” Microsoft said.
“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”
In 2021, the cyber mercenary group was also linked to the exploitation of a fourth zero-day, a Windows privilege escalation flaw in the Windows Update Medic Service (CVE-2021-36948) used to force the service to load an arbitrary signed DLL.
“To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware,” said Cristin Goodwin, General Manager at Microsoft’s Digital Security Unit.
“We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” Goodwin added.