KNOTWEED Activity Group Assessment | Elastic Blog

Jul 30, 2022 by iHash Leave a Comment

Table of Contents

Key Takeaways

KNOTWEED is an activity group sponsored by the PSOA entity DSIRF

KNOTWEED uses 0-day exploits to load custom malware and frameworks onto victim systems

Elastic Endpoint Security prevents the execution chain of the VBA from infecting the host with spyware associated with KNOTWEED

Summary

On July 27, 2022, Microsoft Threat Intelligence Center (MSTIC) disclosed a private-sector offensive actor (PSOA) that is using 0-day exploits in targeted attacks against European and Central American victims. MSTIC and others are tracking this activity group as KNOTWEED.

PSOAs sell hacking tools, malware, exploits, and services. KNOTWEED is produced by the PSOA named DSIRF. DSIRF has been linked to the sale of a malicious toolset (among others) called Subzero which has been observed being deployed through the use of 0-day exploits targeting Adobe and the Windows operating system.

MSTIC has observed victims in the legal, financial, and NGO verticals in Europe and Latin America.

Assessment

Risk

KNOTWEED deploys the Subzero spyware through the use of 0-day exploits for Adobe Reader and the Windows operating system. Once initial access is gained, KNOTWEED uses different sections of Subzero to maintain persistence (Jumplump) and to perform actions on the infected host (Corelump).

Successful execution of the Subzero spyware allows for the clandestine collection of sensitive information such as credential pairs, system locations, internal reconnaissance, and other remote access capabilities common among spyware.

Impact

PSOAs are commonly used by activity groups as a way to “leapfrog” capabilities in exploiting and attacking well-defended targets. These activity groups include national intelligence and law enforcement organizations performing sanctioned operations, as well as oppressive governments as a way to collect information on journalists, political dissidents, and activists.

Successful execution of the Subzero spyware payload could put targets in danger of physical harm or persecution from non-law enforcement organizations.

Countermeasures

Elastic Protections
Attempts to use a Visual Basic for Applications (VBA) script for initial execution generates a Memory Threat Prevention Alert: Shellcode Injection event. This would stop the execution chain from proceeding and prevent the Subzero spyware from infecting the host.

Source link

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Falcon Next-Gen SIEM and Cribl Reshape the SIEM Journey

CrowdStream enables SOCs to streamline data flows, prioritize high-value sources and reduce complexity so teams can focus on their most important tasks. By simplifying data management and empowering faster detection, our partnership offers a scalable, resilient solution that helps SOCs achieve security outcomes that meet today’s demands and tomorrow’s challenges. With CrowdStrike and Cribl, […]

Billie Eilish is Apple Music’s Artist of the Year for 2024

Billie Eilish was announced today as Apple Music’s Artist of the Year, recognizing the singer-songwriter’s extraordinary impact throughout 2024. Following a historic second Academy Award win and two additional GRAMMY Awards for her contribution to Greta Gerwig’s feature-length film Barbie, “What Was I Made For?,” Billie released her third full-length album, HIT ME HARD AND […]

Strengthen SMB Security with Seamless Mobile Protection

Small and medium-sized businesses (SMBs) face many of the same cybersecurity threats as large enterprises but often lack the resources to maintain robust security across all devices. As SMBs rely on a growing number of smartphones and tablets, they must defend against a range of mobile-focused cyberattacks. The need for comprehensive security has never […]

NVIDIA Accelerates Google Quantum AI Processor Design With Simulation of Quantum Device Physics

NVIDIA CUDA-Q Platform Enables Google Quantum AI Researchers to Create Massive Digital Model of Its Quantum Computer to Solve Design Challenges NVIDIA announced it is working with Google Quantum AI to accelerate the design of its next-generation quantum computing devices using simulations powered by the NVIDIA CUDA-Q™ platform. Google Quantum AI is using the hybrid quantum-classical […]

Hackers Exploiting NFCGate to Steal Funds via Mobile Payments

Nov 20, 2024Ravie LakshmananPayment Security / Cybercrime Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim’s funds at scale. The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple […]

Apple shares the most popular podcasts of 2024

Today, Apple shared the most popular podcasts of 2024, with year-end charts localized for listeners in nearly 100 countries and regions. The 2024 charts are available in the Browse tab through the end of the year, and include the top podcasts overall, the top new shows that debuted this year, the most followed shows, the […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

JBL Flip 6 Portable Bluetooth Speaker (Open Box) for $74

Navee V25 300W Foldable e-Scooter for $299

Smart Tracker Includes Key Ring – Works with Apple Find My App (2-Pack) for $34

Harmony Premium Plan Lifetime Subscription for $99

Lenovo 11.6" 100e Chromebook 2nd Gen (2019) MediaTek MT8173C 4GB RAM 16GB eMMC (Refurbished) for $54