European company unmasked as cyber mercenary group with ties to Russia

Microsoft has investigated a ‘suspicious’ Austrian private-sector company, concluding that it is operating illegal offensive security services on behalf of clients in a similar fashion to NSO Group and its Pegasus spyware.

Vienna-based DSR Decision Supporting Information Research Forensic (DSIRF) presents itself as a professional services company with clients across high-value industries, but investigations have revealed it is offering spyware and malware services to clients.

So far, victims include businesses in the UK, Austria, and Panama, and span industries such as banking, law firms, and strategic consultancies, Microsoft said, having spoken to a number of them as part of its research.

The company has been observed chaining together zero-day exploits in Windows and Adobe products to deploy its Subzero malware - a rootkit capable of spying on targeted individuals.

Microsoft has concluded that the company is operating an unauthorised, mercenary offensive security operation similar to that of NSO Group, and has given the threat actor the codename Knotweed.

The group is secretive in its operations and only reveals the full extent of its capabilities to clients in exclusive meetings.

There is no evidence that it operates a genuine professional services operation as it claims to and it is also believed to have ties to the Russian regime.

Unmasking Knotweed - Russian links to illegal EU surveillance

DSIRF’s website says it is primarily based in Austria but also has an office in Lichtenstein. Its ‘about’ section is written in non-descript verbiage that alludes to offering services across information research, forensics, and data-driven intelligence.

It also claims to have multinational clients on its books across the technology, retail, energy, and financial sectors.

Reports linking DSIRF to malicious cyber activity date back to 2021 when several investigations that were conducted by German-speaking media linked the company to the sale of offensive security services.

First reported by Focus, a DSIRF presentation given exclusively to clients was leaked to the publication and revealed the full suite of services the company offered.

The presentation - made public by Netzpolitik - reportedly mentioned cyber warfare, biometric facial recognition, and the unmasking of foreign information warfare tactics.

The clients were eventually introduced to its Subzero malware product which the company claimed, in a six-minute video presentation, to be able to link up with surveillance cameras installed at the likes of train stations and airports.

Its program could supposedly connect to a DSIRF-controlled database and process footage against biometric, social network, criminal record, and payment data to deliver conclusions to the controller in real time.

According to the investigation conducted by Focus, the Austrian Ministry of Finance confirmed the company to be owned by Peter Dietenberger, a German national with residency in Austria and Switzerland.

Dietenberger is also believed to be a ’specialist’ in relations between the West and Russia with connections to the Russian nomenklatura, while also his visa identified him as a special guest of the presidential administration.

The leaked presentation itself was reportedly addressed to Jan Marsalek, a former board member and COO at the infamous German payment processor Wirecard. The internationally-wanted white-collar criminal is now believed to be a fugitive in Moscow under the protection of the FSB following his alleged involvement in the Wirecard scandal.

Subzero in focus

Microsoft’s investigation focused more on the malware offered by the company named Subzero. It said it could be deployed in several different ways but in all cases, it used a remote code execution (RCE) vulnerability in Adobe Reader, coupled with a now-patched privilege escalation exploit in Windows (CVE-2022-22047).

The malware seen by Microsoft was packaged in a PDF document sent to a victim via email but was not able to gain visibility into the entire exploit chain, it said.

The victim's version of Adobe Reader was released in January 2022 which suggests that the exploit was developed between January and May 2022, despite the company’s C2 infrastructure indication that it had been active since 2020.

“The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process,” Microsoft said. “The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.

“Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”

It revealed that other security vulnerabilities were used to deploy Subzero in victims dating back to 2021, indicating that deployment tactics changed over time and there were active efforts from DSIRF to find new ways of exploiting victims.

Other tactics involved delivering Subzero via malicious Microsoft Excel documents using Excel 4.0 VBA macros - which are now once again blocked by default after a temporary backtrack - and obfuscated using large chunks of text taken from the Kama Sutra.

Main capabilities

Corelump is the main malicious payload delivered by the Subzero program. It resides in memory to escape detection and offers a range of functions including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from Knotweed’s C2 server, Microsoft said.

Post exploitation activities observed by Microsoft included credential dumping, accessing emails using dumped credentials, and running PowerShell scripts from a DSIRF-linked GitHub gist.

How to defend against Knotweed and Subzero

Microsoft has advised businesses to patch against the latest security threats, including the recently patched CVE-2022-22047 to prevent exposure to the exploit chain.

Ensuring antivirus products are up-to-date is also recommended, as is scanning for the confirmed indicators of compromise (IOCs) that can be found in Microsoft’s full report.

It’s advised that Excel macro settings are reviewed to make sure malicious VBA and XLM macros are blocked by turning on runtime macros scanning by antimalware scan interface (AMSI), which should be enabled by default.

Enabling multifactor authentication (MFA) can help mitigate any compromised credentials being used by the threat actor and reviewing all authentication activity for remote access infrastructure, and scanning for anomalous activity, is also advised.