Subzero Malware Employed by Private-Sector Threat Actor

Security researchers with Microsoft's Threat Intelligence Center released a report on a piece of malware developed by a private-sector threat actor.

The malware in question is called Subzero and the entity using it is referred to as KNOTWEED, believed to operate out of Austria. The Subzero malware was used in attacks using several zero-day vulnerabilities in Windows and Adobe Reader.

The Subzero malware was primarily distributed using the abovementioned exploits but also used other attack vectors. The targets that suffered Subzero were located in Austria, the United Kingdom and Panama.

The Subzero malware reportedly has the ability to escape sandbox environments through a malicious DLL written to disk through the Adobe process, eventually allowing for "system-level code execution".

The malware was also deployed using a malicious Excel file, dressed up to look like a real estate document. According to Microsoft, the malicious macro inside the Excel file was heavily obfuscated using text strings and Excel 4.0 macro strings.

The Subzero malware is detected and listed as "Jumplump" and "Corelump" inside Windows Defender, respectively referring to the persistent loader and the main malware payload.

August 3, 2022