Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies. MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.
Source: https://QUE.com
Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
Microsoft researchers observed a variety of post-compromise actions on infected systems:
Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.
One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.
Source: https://securityaffairs.co/wordpress/133736/malware/dsirf-behind-subzero-malware.html
On its website, DSIRF promotes itself as a company that provides information research, forensics, and data-driven intelligence services to corporations.
However, it has been linked to the development of the Subzero malware that its customers can use to hack targets’ phones, computers, and network and internet-connected devices.
Continue reading: https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-adobe-zero-days-used-to-deploy-subzero-malware/
More Cyber Security news and articles: Visit https://QUE.com/tag/cybersecurity
