Microsoft: Austrian company DSIRF selling Subzero malware

An Austrian company is using zero-day exploits and malware to compromise a number of organizations in Europe and Central America, according to a Microsoft blog published Wednesday.

The company in question is DSIRF, which Microsoft accused of being a "private-sector offensive actor" (PSOA). According to DSIRF's website, the company provides penetration testing as well as "mission-tailored services in the fields of information research, forensics as well as data-driven intelligence to multinational corporations in the technology, retail, energy and financial sectors."

According to Microsoft, however, DSIRF is a threat actor conducting "limited and targeted attacks" against organizations using Windows and Adobe zero-day vulnerabilities as well as a malware known as "Subzero." One of the zero-days is CVE-2022-22047, a bug that affects Windows' Client Server Runtime Subsystem, which was fixed as part of this month's Patch Tuesday. Microsoft tracks DSIRF as "KNOTWEED."

PSOAs, the tech giant said, are "cyber mercenaries" that sell hacking tools or services as part of their business model. Oftentimes, these organizations are selling either access via end-to-end hacking tools, or the PSOA is conducting the offensive hacking operations themselves. One prominent example of a PSOA is the infamous Israeli spyware vendor NSO Group.

DSIRF allegedly combines the two models.

"Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement," Microsoft's blog post read.

Microsoft is not the first to note a connection between DSIRF and the sale of malware. German news site Netzpolitik covered Subzero last December, for example.

The Microsoft Threat Intelligence Center (MSTIC) tracked Subzero activity between 2021 and 2022, and found at least one instance where a Subzero victim "had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity." Alleged victims included banks, law firms and strategic consultancies in countries such as Austria, Panama and the United Kingdom.

Microsoft said it established "multiple links" between DSIRF and the zero-day exploits and Subzero malware.

"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF," Microsoft said.

Additional technical details are available in the blog post.

Neither Microsoft nor DSIRF has responded to SearchSecurity's request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.