“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world.”
Researchers observed several other vulnerabilities being leveraged in exploit chains to deploy Subzero including three Windows privilege escalation bugs (CVE-2021-31199, CVE-2021-31201 and CVE-2021-3648) and an Adobe Reader flaw (CVE-2021-28550). Beyond these exploit chains, Subzero was also seen being deployed via an Excel file that masqueraded as a real estate document, but was actually a malicious macro.
After initial access, a downloader shellcode was executed that retrieved a second-stage malware from the actor-operated command-and-control (C2) server; this main payload, which resided exclusively in memory to avoid detection, had a variety of capabilities, including keylogging, capturing screenshots, stealing files, and running remote shells and arbitrary plugins. Knotweed was also observed using custom utility tools that it had developed called Mex and PassLib, which dumped credentials from web browsers, Windows credential manager and email clients.
Microsoft’s hope in sharing information (like malware signatures) linked to cyber mercenary groups like Knotweed with its customers and industry partners is to improve detection of these attacks. Other companies in the tech industry have made similar steps, with Google in June applying its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations. These hack-for-hire firms had targeted a range of accounts, including Gmail and AWS accounts, in order to carry out corporate espionage attacks against firms, as well as campaigns that target human rights and political activists, journalists and other high-risk users worldwide.
The public sector is also calling attention to spyware and cyber mercenary commercial firms, with the Intelligence Authorization Act, a bill recently passed by the House Intelligence Committee, including several parts that crack down on firms selling surveillance technology. In a Wednesday House Permanent Select Committee on Intelligence Hearing about “Combating the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware,” Microsoft and other firms described how they are increasingly seeing cyber mercenaries selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others.
“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world,” said Cristin Goodwin, general manager with Microsoft’s Digital Security Unit, on Wednesday. “We will continue to advocate around policy solutions to address the dangers caused when [private-sector offensive actors] build and sell weapons.”