Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

KNOTWEED is an Austria-based PSOA named DSIRF.
The DSIRF website says they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”

MSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways.
In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.

Previously, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.
MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.

Analysts were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL.
The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document.
The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc.
Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.
he downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents.

The shellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server.
The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file).
The JPEG is then written to the user’s %TEMP% directory.

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG.
After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key.

Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.
Corelump is the main payload and resides exclusively in memory to evade detection.

It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.

As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code.

As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile.

These trojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).

Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory.

If Corelump is not present, Jumplump attempts to download it again from the C2 server.
Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib.

These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources.
Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub

Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED’s attack infrastructure.
Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED.
This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.

RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious.
This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).

Corelump drops the Jumplump loader DLLs to C:WindowsSystem32spooldriverscolor.
This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.

Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:WindowsSystem32spooldriverscolor.
Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLMSOFTWAREClassesCLSID{GUID}InProcServer32 Default value).
The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:

{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = “%SystemRoot%System32ApplicationFrame.dll”
{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = “%SystemRoot%system32propsys.dll”
{4590f811-1d3a-11d0-891f-00aa004b2e24} = “%SystemRoot%system32wbemwbemprox.dll”
{4de225bf-cf59-4cfc-85f7-68b90f185355} = “%SystemRoot%system32wbemwmiprvsd.dll”
{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = “%SystemRoot%System32Actioncenter.dll”
Many of the post-compromise actions can be detected based on their command lines.
Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys