The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found that the spyware developer — officially named DSIRF and codenamed KNOTWEED — developed a spyware called ‘Subzero’ that was used to target law firms, banks, and consultancy firms in the UK, Austria and Panama.
“It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common,” the company said in a blogpost late on Wednesday.
MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks.
These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.
Such cyber mercenaries sell hacking tools or services through a variety of business models.
Two common models for this type of actor are access-as-a-service and hack-for-hire.
In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the private-sector offensive actor (PSOA) not involved in any targeting or running of the operation.
In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations.
Microsoft said that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.
“Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits,” the company advised.