- KNOTWEED is an activity group sponsored by the PSOA entity DSIRF
- KNOTWEED uses 0-day exploits to load custom malware and frameworks onto victim systems
- Elastic Endpoint Security prevents the execution chain of the VBA from infecting the host with spyware associated with KNOTWEED
On July 27, 2022, Microsoft Threat Intelligence Center (MSTIC) disclosed a private-sector offensive actor (PSOA) that is using 0-day exploits in targeted attacks against European and Central American victims. MSTIC and others are tracking this activity group as KNOTWEED.
PSOAs sell hacking tools, malware, exploits, and services. KNOTWEED is produced by the PSOA named DSIRF. DSIRF has been linked to the sale of a malicious toolset (among others) called Subzero which has been observed being deployed through the use of 0-day exploits targeting Adobe and the Windows operating system.
MSTIC has observed victims in the legal, financial, and NGO verticals in Europe and Latin America.
KNOTWEED deploys the Subzero spyware through the use of 0-day exploits for Adobe Reader and the Windows operating system. Once initial access is gained, KNOTWEED uses different sections of Subzero to maintain persistence (Jumplump) and to perform actions on the infected host (Corelump).
Successful execution of the Subzero spyware allows for the clandestine collection of sensitive information such as credential pairs, system locations, internal reconnaissance, and other remote access capabilities common among spyware.
PSOAs are commonly used by activity groups as a way to “leapfrog” capabilities in exploiting and attacking well-defended targets. These activity groups include national intelligence and law enforcement organizations performing sanctioned operations, as well as oppressive governments as a way to collect information on journalists, political dissidents, and activists.
Successful execution of the Subzero spyware payload could put targets in danger of physical harm or persecution from non-law enforcement organizations.
Attempts to use a Visual Basic for Applications (VBA) script for initial execution generates a Memory Threat Prevention Alert: Shellcode Injection event. This would stop the execution chain from proceeding and prevent the Subzero spyware from infecting the host.