Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions

Written by

The Austrian government said on Friday it was investigating a company based within the nation’s territory for allegedly developing spyware targeting law firms, banks, and consultancies across at least three countries.

The news comes days after Microsoft’s Threat Intelligence Center (MSTIC) said it found malware called Subzero (CVE-2022-22047) deployed in 2021 and 2022.

According to the tech giant, Subzero was developed by Vienna-based company DSIRF (tracked by Microsoft under the codename KNOTWEED), and deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader.

For context, DSIRF operates under the guise of helping multinational corporations conduct risk analysis and collect business intelligence.

However, Microsoft’s advisory has linked the company to the sale of spyware used for unauthorized surveillance.

“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” MSTIC wrote.

“It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.”

Microsoft said it found multiple links between DSIRF and the exploits and malware used in these attacks. 

“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

Additionally, the security researchers explained that, while exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk, in the threat model of sandboxes (like Adobe Reader and Chromium), the ability to write out files where the attacker cannot control the path isn’t considered dangerous. 

“Hence, these sandboxes aren’t a barrier to the exploitation of CVE-2022-22047.”

Microsoft confirmed that the exploit used by DSIRF has now been patched in a security update.

“Microsoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build 1.371.503.0.” 

Despite the advisory, Austria's interior ministry said it had not recently received reports of any incidents. DSIRF also refuted the claims in an article by Austria's Kurier newspaper.

What’s hot on Infosecurity Magazine?