Subzero Malware

A Private-Sector Offensive Actor (PSOA) has been observed using multiple WIndows and Adobe zero-day vulnerabilities to infect victims with an internally-developed malware tracked as Subzero. Details about the threat actor and the Subzero malware were released in a report by the Microsoft Threat Intelligence Center (MSTIC). The researchers track this particular PSOA as KNOTWEED and believe it is an Austria-based threat actor named DSIRF. 

KNOTWEED is likely to provide a combination of two different models - access-as-a-service and hack-for-hire, as the group both sells its Subzero malware to third parties while also appearing to have more direct involvement in certain attacks. Victims include law firms, consultancy agencies, and banks located in Austria, the UK and Panama. 

Subzero Malware Details

The Subzero threat is delivered to the chosen targets through a variety of infection methods. Attackers abused zero-day exploits, such as CVE-2022-22047. In addition, the malware was deployed via a weaponized Excel file, pretending to be a real estate document. The file contained a corrupted macro that triggers the delivery of Subzero to the victim's device. 

To avoid detection, the main payload of the threat resides in memory almost entirely. Its invasive capabilities include keylogging, capturing screenshots, opening a remote shell and executing commands, file exfiltration and more. In addition, the malware can be instructed to fetch and run additional plugins from the Command-and-Control (C2, C&C) server of the attack's campaign.