Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

KNOTWEED is an Austria-based PSOA named DSIRF.
The DSIRF website says they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”

MSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways.
In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.

Previously, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.
MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.

Analysts were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL.
The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document.
The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc.
Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.
he downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents.

The shellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server.
The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file).
The JPEG is then written to the user’s %TEMP% directory.

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG.
After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key.

Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.
Corelump is the main payload and resides exclusively in memory to evade detection.

It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.

As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code.

As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile.

These trojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).

Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory.

If Corelump is not present, Jumplump attempts to download it again from the C2 server.
Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib.

These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources.
Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub

Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED’s attack infrastructure.
Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED.
This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.

RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious.
This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).

Corelump drops the Jumplump loader DLLs to C:WindowsSystem32spooldriverscolor.
This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.

Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:WindowsSystem32spooldriverscolor.
Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLMSOFTWAREClassesCLSID{GUID}InProcServer32 Default value).
The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:

{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = “%SystemRoot%System32ApplicationFrame.dll”
{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = “%SystemRoot%system32propsys.dll”
{4590f811-1d3a-11d0-891f-00aa004b2e24} = “%SystemRoot%system32wbemwbemprox.dll”
{4de225bf-cf59-4cfc-85f7-68b90f185355} = “%SystemRoot%system32wbemwmiprvsd.dll”
{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = “%SystemRoot%System32Actioncenter.dll”
Many of the post-compromise actions can be detected based on their command lines.
Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys

Sign Up For Threat Alerts

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...

Threats Icon

Jul 20, 2022

Trello From the Other Side: APT29 Phishing...

Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic...

Threats Icon

Jul 18, 2022

New OrBit Linux Malware That Hijacks Execution...

New and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks...

Threats Icon

Jul 18, 2022

North Korean threat actor targets small and...

A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks...

Threats Icon

Jul 13, 2022

ChromeLoader – New Stubborn Malware Campaign

A new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was...

Threats Icon

Jul 13, 2022

Raspberry Robin Worm Abuses Windows Installer and...

The Cybereason team is investigating a series of recent infections with the Raspberry Robin campaign,...