Microsoft details that a company described being a private-sector offensive actor, or PSOA, is a company disguised as an Austrian-based company called DSIRF. It is found that it was, in fact, linked to the development and attempted sale of Subzero, a piece of cyberware.
Subzero is known to hack the target’s phones, computers, and other internet-connected devices. Microsoft’s cybersecurity team reports that the victims of these employs include banks, strategic consultancies, and law firms in countries including the United Kingdom, Panama, Austria, etc.
To track this cyberware, Microsoft has assigned it a moniker, KNOTWEED, as it continues the trend of giving names of trees and shrubs to the actors they are tracking. KNOTWEED can act as both an access as a service and hack-for-hire operations. Therefore, it is offering its toolset to third-party actors as well as directly partaking in certain attacks.
The former entails that the sales of the tools, such as end-to-end hacking, can be used by those who purchase them without the involvement of the offensive attacker. Therefore, the purchaser can act in their own right.
However, the hack-for-hire group is much more involved as they run the targeted operations upon the instruction of their clients.
Google believes that the deployment of Subzero transpired due to the exploitation of various issues. These include an attack chain that abused an Adobe Reader remote code execution that was previously unknown. Another attack was the zero-day privilege escalation bug, which Microsoft addressed in their patch updates.
Microsoft details that KNOTWEED was uncovered to be actively serving malware since February 2020. It used infrastructure hosted on Choopa and DigitalOcean. They also identified various other subdomains where malware development and staging Subzero payload took place.