{"id":19698,"date":"2022-07-27T07:00:59","date_gmt":"2022-07-27T15:00:59","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/07\/27\/news-13431\/"},"modified":"2022-07-27T07:00:59","modified_gmt":"2022-07-27T15:00:59","slug":"news-13431","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/07\/27\/news-13431\/","title":{"rendered":"Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits"},"content":{"rendered":"

Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 27 Jul 2022 14:00:00 +0000<\/strong><\/p>\n

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047<\/a>, in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.<\/p>\n

This blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.<\/p>\n

PSOAs, which Microsoft also refers to as cyber mercenaries<\/a>, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.<\/p>\n

Who is KNOTWEED?<\/h2>\n

KNOTWEED is an Austria-based PSOA named DSIRF. The DSIRF website<\/a> [web archive link] says they provide services \u201cto multinational corporations in the technology, retail, energy and financial sectors<\/em>\u201d and that they have \u201ca set of highly sophisticated techniques in gathering and analyzing information.<\/em>\u201d They publicly offer several services including \u201can enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d <\/em>and \u201chighly sophisticated Red Teams to challenge your company’s most critical assets.\u201d<\/em><\/p>\n

However, multiple<\/a> news<\/a> reports<\/a> have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.<\/p>\n

MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.<\/p>\n

Observed actor activity<\/h2>\n

KNOTWEED initial access<\/h3>\n

MSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump <\/em>for the persistent loader and Corelump <\/em>for the main malware.<\/p>\n

KNOTWEED exploits in 2022<\/h4>\n

In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.<\/p>\n

The CVE-2022-22047 vulnerability is related to an issue with activation context<\/a> caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.<\/p>\n

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.<\/p>\n

It’s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker cannot<\/em> control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.<\/p>\n

KNOTWEED exploits in 2021<\/h4>\n

In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199<\/a> and CVE-2021-31201<\/a>) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550<\/a>), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.<\/p>\n

We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948<\/a>), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.<\/p>\n

\"A
Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL<\/figcaption><\/figure>\n

Malicious Excel documents<\/h4>\n

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.<\/p>\n

\"\"<\/figure>\n
\"Two
Figure 2: Two examples of KNOTWEED Excel macro obfuscation<\/figcaption><\/figure>\n

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro<\/em> function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc<\/em>. Each opcode is individually copied into a newly allocated buffer using memset<\/em> before CreateThread<\/em> is called to execute the shellcode.<\/p>\n

\"A
Figure 3: Copying opcodes<\/figcaption><\/figure>\n
\"A
Figure 4: Calling CreateThread on shellcode<\/figcaption><\/figure>\n

The following section describes the shellcode executed by the macro.<\/p>\n

KNOTWEED malware and tactics, techniques, and procedures (TTPs)<\/h3>\n

Corelump downloader and loader shellcode<\/h4>\n

The downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode’s purpose is to retrieve the Corelump<\/em> second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9<\/em> marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s %TEMP%<\/em> directory.<\/p>\n

\"\"
Figure 5: One of the images embedded with the loader shellcode and Corelump<\/figcaption><\/figure>\n

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the Corelump<\/em> malware using a second RC4 key and manually loads it into memory.<\/p>\n

Corelump malware<\/h4>\n

Corelump <\/em>is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.<\/p>\n

As part of installation, Corelump<\/em> makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, Corelump<\/em> also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard<\/a>, and modifying the image file checksum with a computed value from CheckSumMappedFile.<\/em> These trojanized binaries (Jumplump<\/em>) are dropped to disk in C:WindowsSystem32spooldriverscolor<\/em>, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).<\/p>\n

Jumplump loader<\/h4>\n

Jumplump <\/em>is responsible for loading Corelump <\/em>into memory from the JPEG file in the %TEMP% directory. If Corelump<\/em> is not present, Jumplump<\/em> attempts to download it again from the C2 server. Both Jumplump <\/em>and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction\/jmp combination, giving a convoluted control flow throughout the program.<\/p>\n

\"A
Figure 6: Disassembly showing the jmp\/instruction obfuscation used in Jumplump<\/figcaption><\/figure>\n

Mex and PassLib<\/h4>\n

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):<\/p>\n

\n\n\n\n\n\n\n\n\n
Chisel<\/a><\/td>\nmimikatz<\/a><\/td>\nSharpHound3<\/a><\/td>\n<\/tr>\n
Curl<\/a><\/td>\nPing Castle<\/a><\/td>\nSharpOxidResolver<\/a><\/td>\n<\/tr>\n
Grouper2<\/a><\/td>\nRubeus<\/a><\/td>\nPharpPrinter<\/a><\/td>\n<\/tr>\n
Internal Monologue<\/a><\/td>\nSCShell<\/a><\/td>\nSpoolSample<\/a><\/td>\n<\/tr>\n
Inveigh<\/a><\/td>\nSeatbelt<\/a><\/td>\nStandIn<\/a><\/td>\n<\/tr>\n
Lockless<\/a><\/td>\nSharpExec<\/a><\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

PassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.<\/p>\n

Post-compromise actions<\/h4>\n

In victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:<\/p>\n