Security News > 2022 > July > Knotweed Euro cyber mercenaries attacking private sector, says Microsoft

Microsoft has published an analysis of a Europe-based "Private-sector offensive actor" with a view to helping its customers spot signs of attacks by money-hungry gangsters.

Dubbed Knotweed by Microsoft's Threat Intelligence Center and Security Response Center, the private sector targeting crew has made use of multiple Windows and Adobe zero-day exploits in attacks against European and Central American customers.

The group itself is, according to Microsoft, an Austria-based PSOA. While the outfit looks very above board, with a website rammed full of business-speak concerning information gathering and the company's 20 years of expertise, according to Microsoft's report the group is connected to the development and sale of the SubZero malware.

In 2022, exploits were found packaged in a PDF document sent via email which, when combined with a zero day Windows privilege escalation exploit, resulted in the deployment of SubZero.

Naturally, Microsoft is keen that users apply the security patch, although there have been some unfortunate side effects.... "The exploit chain starts," explained Microsoft, "With writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.".

Depressingly, Microsoft noted "This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/27/knotweed/