IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

European company unmasked as cyber mercenary group with ties to Russia

The company that's similar to NSO Group has been active since 2016 and has used different zero-days in Windows and Adobe products to infect victims with powerful, evasive spyware

Microsoft has investigated a ‘suspicious’ Austrian private-sector company, concluding that it is operating illegal offensive security services on behalf of clients in a similar fashion to NSO Group and its Pegasus spyware.

Vienna-based DSR Decision Supporting Information Research Forensic (DSIRF) presents itself as a professional services company with clients across high-value industries, but investigations have revealed it is offering spyware and malware services to clients.

So far, victims include businesses in the UK, Austria, and Panama, and span industries such as banking, law firms, and strategic consultancies, Microsoft said, having spoken to a number of them as part of its research.

The company has been observed chaining together zero-day exploits in Windows and Adobe products to deploy its Subzero malware - a rootkit capable of spying on targeted individuals.

Microsoft has concluded that the company is operating an unauthorised, mercenary offensive security operation similar to that of NSO Group, and has given the threat actor the codename Knotweed.

The group is secretive in its operations and only reveals the full extent of its capabilities to clients in exclusive meetings. 

There is no evidence that it operates a genuine professional services operation as it claims to and it is also believed to have ties to the Russian regime. 

Unmasking Knotweed - Russian links to illegal EU surveillance

DSIRF’s website says it is primarily based in Austria but also has an office in Lichtenstein. Its ‘about’ section is written in non-descript verbiage that alludes to offering services across information research, forensics, and data-driven intelligence.

It also claims to have multinational clients on its books across the technology, retail, energy, and financial sectors.

Reports linking DSIRF to malicious cyber activity date back to 2021 when several investigations that were conducted by German-speaking media linked the company to the sale of offensive security services.

First reported by Focus, a DSIRF presentation given exclusively to clients was leaked to the publication and revealed the full suite of services the company offered.

The presentation - made public by Netzpolitik - reportedly mentioned cyber warfare, biometric facial recognition, and the unmasking of foreign information warfare tactics. 

The clients were eventually introduced to its Subzero malware product which the company claimed, in a six-minute video presentation, to be able to link up with surveillance cameras installed at the likes of train stations and airports.

Its program could supposedly connect to a DSIRF-controlled database and process footage against biometric, social network, criminal record, and payment data to deliver conclusions to the controller in real time.

According to the investigation conducted by Focus, the Austrian Ministry of Finance confirmed the company to be owned by Peter Dietenberger, a German national with residency in Austria and Switzerland. 

Dietenberger is also believed to be a ’specialist’ in relations between the West and Russia with connections to the Russian nomenklatura, while also his visa identified him as a special guest of the presidential administration.

The leaked presentation itself was reportedly addressed to Jan Marsalek, a former board member and COO at the infamous German payment processor Wirecard. The internationally-wanted white-collar criminal is now believed to be a fugitive in Moscow under the protection of the FSB following his alleged involvement in the Wirecard scandal

Subzero in focus

Microsoft’s investigation focused more on the malware offered by the company named Subzero. It said it could be deployed in several different ways but in all cases, it used a remote code execution (RCE) vulnerability in Adobe Reader, coupled with a now-patched privilege escalation exploit in Windows (CVE-2022-22047).

Related Resource

An EDR buyer's guide

How to pick the best endpoint detection and response solution for your business

Whitepaper cover with title and image of grey and green blocks, with the green ones connected to each otherFree Download

The malware seen by Microsoft was packaged in a PDF document sent to a victim via email but was not able to gain visibility into the entire exploit chain, it said. 

The victim's version of Adobe Reader was released in January 2022 which suggests that the exploit was developed between January and May 2022, despite the company’s C2 infrastructure indication that it had been active since 2020.

“The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process,” Microsoft said. “The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.

“Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”

It revealed that other security vulnerabilities were used to deploy Subzero in victims dating back to 2021, indicating that deployment tactics changed over time and there were active efforts from DSIRF to find new ways of exploiting victims.

Other tactics involved delivering Subzero via malicious Microsoft Excel documents using Excel 4.0 VBA macros - which are now once again blocked by default after a temporary backtrack - and obfuscated using large chunks of text taken from the Kama Sutra.

Main capabilities

Corelump is the main malicious payload delivered by the Subzero program. It resides in memory to escape detection and offers a range of functions including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from Knotweed’s C2 server, Microsoft said.

Post exploitation activities observed by Microsoft included credential dumping, accessing emails using dumped credentials, and running PowerShell scripts from a DSIRF-linked GitHub gist.

How to defend against Knotweed and Subzero

Microsoft has advised businesses to patch against the latest security threats, including the recently patched CVE-2022-22047 to prevent exposure to the exploit chain.

Ensuring antivirus products are up-to-date is also recommended, as is scanning for the confirmed indicators of compromise (IOCs) that can be found in Microsoft’s full report. 

It’s advised that Excel macro settings are reviewed to make sure malicious VBA and XLM macros are blocked by turning on runtime macros scanning by antimalware scan interface (AMSI), which should be enabled by default.

Enabling multifactor authentication (MFA) can help mitigate any compromised credentials being used by the threat actor and reviewing all authentication activity for remote access infrastructure, and scanning for anomalous activity, is also advised.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

What is cyber warfare?
Security

What is cyber warfare?

20 May 2022
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022