Security News > 2022 > July > Microsoft: Windows, Adobe zero-days used to deploy Subzero malware
Microsoft has linked a threat group it tracks as Knotweed to a cyber mercenary outfit named DSIRF, targeting European and Central American entities using a malware toolset dubbed Subzero.
Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.
The Microsoft Threat Intelligence Center has also found multiple links between DSIRF and malicious tools used in Knotweed's attacks.
"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF," Microsoft said.
Last year, Knotweed also used an exploit chain made of two Windows privilege escalation exploits in conjunction with an Adobe Reader exploit, all of them patched in June 2021.
"To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware," said Cristin Goodwin, General Manager at Microsoft's Digital Security Unit.
News URL
Related news
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New Windows Themes zero-day gets free, unofficial patches (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Microsoft fixes Windows 10 bug causing apps to stop working (source)
- Microsoft wants $30 if you want to delay Windows 11 switch (source)
- Microsoft delays Windows Recall again, now by December (source)
- Microsoft Delays Windows Copilot+ Recall Release Over Privacy Concerns (source)
- Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams (source)