A cyber mercenary company in Austria has been using several zero-day exploits in Windows and Adobe software to spread malware to victims, according to Microsoft.
Microsoft made the allegation in a report(Opens in a new window) on Wednesday that linked the malware attacks to a mysterious intel-gathering firm in Austria called DSIRF. Redmond claims DSIRF is actually a professional hacking company that sells access to its “Subzero” malware tool to clients.
Over the past two years, Microsoft has detected the Subzero malware circulating to computers with the help of previously unknown vulnerabilities in both Windows and Adobe Reader. “Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” the company added.
Back in May, Microsoft detected one such attack that involved sending a malicious PDF through email in order to infect the user’s computer. The PDF was designed to exploit a vulnerability in Adobe Reader to remotely execute computer code on the victim’s machine. The attack could then elevate privileges to run system level-code by leveraging a previously unknown flaw(Opens in a new window) in Windows, dubbed CVE-2022-22047, which Microsoft only patched earlier this month.
Chaining the two vulnerabilities together allegedly enabled DSIRF to download and install the Subzero malware onto the victim’s computer. According to Microsoft, the malware’s main component allows it to log keyboard strokes, capture screenshots, steal files and run additional programs over the hijacked machine.
In addition to using PDFs, Microsoft has also detected DSIRF relying on Excel documents containing malicious macros to secretly spread Subzero.
The company is linking the attacks to DSIRF, citing the servers and internet domains the Subzero malware was communicating to. RiskIQ, a threat intelligence firm Microsoft acquired last year, was able to identify “a host of additional IP addresses under the control” of the hackers.
Recommended by Our Editors
“This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware),” Microsoft said.
DSIRF didn’t immediately respond to a request for comment. In the meantime, Microsoft is urging customers to prioritize patching the Windows flaw CVE-2022-22047 in their computers. This can be done by installing the latest Windows updates. The company’s Microsoft Defender Antivirus has also been updated to detect the presence of the Subzero malware.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Source: https://www.pcmag.com/news/microsoft-spots-cyber-mercenaries-using-windows-adobe-zero-day-exploits