Security News > 2022 > July > Microsoft: Windows, Adobe zero-days used to deploy Subzero malware
Microsoft has linked a threat group it tracks as Knotweed to a cyber mercenary outfit named DSIRF, targeting European and Central American entities using a malware toolset dubbed Subzero.
Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.
The Microsoft Threat Intelligence Center has also found multiple links between DSIRF and malicious tools used in Knotweed's attacks.
"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF," Microsoft said.
Last year, Knotweed also used an exploit chain made of two Windows privilege escalation exploits in conjunction with an Adobe Reader exploit, all of them patched in June 2021.
"To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware," said Cristin Goodwin, General Manager at Microsoft's Digital Security Unit.
News URL
Related news
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware (source)
- “Perfect” Windows downgrade attack turns fixed vulnerabilities into zero-days (source)
- Microsoft discloses Office zero-day, still working on a patch (source)
- Microsoft: Windows 11 22H2 reaches end of support in 60 days (source)
- Microsoft is killing the Windows Paint 3D app after 8 years (source)
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (source)
- Microsoft fixes 6 zero-days under active attack (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- New Windows SmartScreen bypass exploited as zero-day since March (source)