Solved: Subzero Spyware Secret — Austrian Firm Fingered

DSIRF GmbH codenamed ‘Knotweed’ by Microsoft and RiskIQ. This unknown Austrian company is accused of selling the powerful, pernicious spyware Subzero.

By exploiting a range of Microsoft and Adobe zero-days, the malware spied on journalists, dissidents and corporations for over a year. Microsoft obviously feels it has enough evidence to blame DSIRF, labeling it a “private sector offensive actor” (PSOA).

What can be done? In today’s SB Blogwatch, we count the ways.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Peak RutH.


What’s the craic? Richard Speed quickly reports—“Cyber mercenaries attacking private sector”:

A sobering reminder
Dubbed Knotweed by Microsoft … the private sector targeting crew has made use of multiple Windows and Adobe zero-day exploits in attacks against European and Central American customers: … “Observed victims to date … include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”

While the outfit looks very above board, with a website rammed full of business-speak concerning information gathering and the company’s 20 years of expertise, according to Microsoft … the group is connected to the development and sale of the SubZero malware.

Once in, the malware lurks in memory and can capture screenshots, perform keylogging, exfiltrate files, run a remote shell and download plug-ins from Knotweed’s C2 server. [It’s] a sobering reminder of the race underway between miscreants and researchers.

And Tara Seals barks—“Multiple Windows, Adobe Zero-Days Anchor Knotweed”:

Corporate espionage
Knotweed … is an alias for an Austrian outfit called DSIRF. … Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called [PSOAs], which hawk their wares to unscrupulous governments and business interests. These ultra-sophisticated … tools are often used against dissidents, journalists, and other members of civil society, but they’ve been known to enable straightforward corporate espionage too.

And not just Microsoft. Sergiu Gatlan has more—“Windows, Adobe zero-days used to deploy Subzero malware”:

Heavily obfuscated malware loader
Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.

On compromised devices, the attackers deployed Corelump, the primary payload that runs from memory to evade detection, and Jumplump, a heavily obfuscated malware loader that downloads and loads Corelump into memory. The primary Subzero payload has many capabilities, including keylogging, capturing screenshots, exfiltrating data, and running remote shells and arbitrary plugins downloaded from its command-and-control server.

Something should be done. Microsoft’s Cristin Goodwin is “Continuing the fight”:

Unscrupulous use of surveillance technologies
Today we are … submitting written testimony to the House Permanent Select Committee on Intelligence Hearing on “Combatting the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware.” This describes how we are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms.

We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use … around the world. We will continue to advocate around policy solutions to address the dangers caused when PSOAs build and sell weapons.

What’s the real issue here? coslie sounds stoic:

The real issue here is that the law is pretty much optional if you have an office and a suit, and in this case apparently a flashy brochure or something. If you pulled these kind of stunts while eating Cheetos wearing sweatpants in your basement, the authorities would be all over you.

That near impunity is at … the root of most of the big problems facing us today.

Who’s wearing these suits? @CounterPillow channels some Austrian public records:

By golly, I’m gonna found a successful business called DSIRF selling malware to state actors out of Vienna, or my name wouldn’t be Julian-Thomas Erdödy, born 26th of October 1989, residing at Bandgasse 28/3 in Vienna.

Anyone else? Sique alleges an allegation:

DSIRF seems to be involved with Jan Marsalek, who was the COO of the scandalous, [allegedly] fraudulent and finally bankrupt fintech company Wirecard. Jan Marsalek was [allegedly] known to brag about his connection to different intelligence agencies, and is now a fugitive with a world wide warrant outstanding.

As if that weren’t enough, kevloral digs up yet more alleged murk:

On top of that, it also seems the company has close ties to Russia.

Meanwhile, revisionz suggests a way Microsoft might fix it:

Maybe don’t have *****y software and a complete desktop monopoly.

And Finally:

Are we over this RutH thing yet?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Erwin (via Pixabay; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 626 posts and counting.See all posts by richi