Security News > 2022 > July > Microsoft: Windows, Adobe zero-days used to deploy Subzero malware

Microsoft has linked a threat group it tracks as Knotweed to a cyber mercenary outfit named DSIRF, targeting European and Central American entities using a malware toolset dubbed Subzero.

Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.

The Microsoft Threat Intelligence Center has also found multiple links between DSIRF and malicious tools used in Knotweed's attacks.

"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF," Microsoft said.

Last year, Knotweed also used an exploit chain made of two Windows privilege escalation exploits in conjunction with an Adobe Reader exploit, all of them patched in June 2021.

"To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware," said Cristin Goodwin, General Manager at Microsoft's Digital Security Unit.

News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-adobe-zero-days-used-to-deploy-subzero-malware/