Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

KNOTWEED is an Austria-based PSOA named DSIRF.
The DSIRF website says they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”

MSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways.
In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.

Previously, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.
MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.

Analysts were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL.
The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document.
The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc.
Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.
he downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents.

The shellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server.
The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file).
The JPEG is then written to the user’s %TEMP% directory.

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG.
After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key.

Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.
Corelump is the main payload and resides exclusively in memory to evade detection.

It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.

As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code.

As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile.

These trojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).

Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory.

If Corelump is not present, Jumplump attempts to download it again from the C2 server.
Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib.

These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources.
Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub

Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED’s attack infrastructure.
Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED.
This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.

RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious.
This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).

Corelump drops the Jumplump loader DLLs to C:WindowsSystem32spooldriverscolor.
This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.

Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:WindowsSystem32spooldriverscolor.
Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLMSOFTWAREClassesCLSID{GUID}InProcServer32 Default value).
The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:

{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = “%SystemRoot%System32ApplicationFrame.dll”
{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = “%SystemRoot%system32propsys.dll”
{4590f811-1d3a-11d0-891f-00aa004b2e24} = “%SystemRoot%system32wbemwbemprox.dll”
{4de225bf-cf59-4cfc-85f7-68b90f185355} = “%SystemRoot%system32wbemwmiprvsd.dll”
{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = “%SystemRoot%System32Actioncenter.dll”
Many of the post-compromise actions can be detected based on their command lines.
Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys

Sign Up For Threat Alerts

Loading...
Threats Icon

Dec 06, 2022

DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features

DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...

Threats Icon

Dec 05, 2022

WannaRen Returns As Life Ransomware

WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...

Threats Icon

Dec 04, 2022

Alert (AA22-335A) Cuba Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...

Threats Icon

Nov 22, 2022

Wipermania

Wipers have existed for years, and while they haven't been utilized as much as ransomware,...

Threats Icon

Nov 21, 2022

LockBit 3.0 Ransomware Unlocked

Also known as LockBit Black, this ransomware family announced itself stating that it would now...

Threats Icon

Nov 21, 2022

Control Panel Executable Abused For QakBot Infection

QakBot campaign modifies deployment tactics and aims to exploit a DLL hijacking technique that abuses...