A Viennese company is said to have used several 0-day exploits for malware that attacked lawyers and banks. The Viennese recognize “nothing abusive”.
Microsoft’s security department is pillorying Viennese DSIRF GmbH under the code name Knotweed: The company has developed, offered for sale and used malware called Subzero, which exploits several 0-day vulnerabilities (previously unknown bugs) in Windows and Adobe Reader. Several targets have been hacked and monitored with Subzero since February 2020: Lawyers, banks and strategy consultants in Austria, Panama and Great Britain are known victims. DSIRF does not deny this, but denies “abusive” use.
In December, netzpolitik.org published an advertising presentation by DSIRF GmbH, which is said to have been found in the e-mail account of Wirecard manager Jan Marsalek, who fled to Russia. In it, DSIRF describes its own business areas of biometrics, IT evidence preservation, analysis of elections and election campaigns, and cyber warfare. Subzero is advertised as a weapon for the “next generation of online warfare”.
Compared to voonze online, DSIRF is less martial. Subzero is software that “has been developed for official use in EU countries. It is not offered, sold or made available for use commercially.” DSIRF denies improper use without explaining how such an IT weapon could be used correctly and legally, for example against lawyers.
This is how Subzero works
According to Microsoft, DSIRF not only passed on the software, but also operated command-and-control servers for its use and provided digital certificates. In 2021, Subzero exploited a bug in Adobe Reader (CVE-2021-28550) in conjunction with two Windows bugs (CVE-2021-31199 and CVE-2021-31201) to gain rights to foreign Windows and Windows server to provide computers. Updates from May (Adobe) and June 2021 (Microsoft) protect against these gaps. An update against CVE-2021-36948 followed in August 2021, which was also exploited by Subzero.
Finally, in May 2022, Microsoft found a manipulated PDF document that leverages another vulnerability (probably 0-day) in Adobe Reader to exploit a 0-day vulnerability on Windows or Windows Server to execute malicious code. The Windows bug can now be fixed with an update (CVE-2022-22047 for Windows 7 to Windows Server 2022). Subzero manages to break out of the Adobe Reader or Chromium browser sandbox and write a malicious library file (DLL) to the local data storage and call it later.
According to Microsoft, in addition to PDF files, Subzero also uses Excel files with malicious Visual Basic macros to hijack third-party systems. In addition to encrypted malicious code, Subzero also downloads a prepared image (JPEG). A key is hidden in the JPEG with which malicious code is decrypted. The purpose of the matter: As long as program code is encrypted, it cannot be examined by antivirus software. There is no alarm.
An important part of the malicious code always remains in the volatile main memory so as not to leave any traces. Legitimate software libraries (DLL files) and registry entries are manipulated, among other things to make it easier to read stored passwords. According to Microsoft, the malware-spreading servers were mostly hosted by the companies Digital Ocean and Choopa; the relevant IP addresses were in turn connected to several DSIRF domains.
Secret service is investigating now
Subzero developer DSIRF says it has launched an internal investigation into its operations. In addition, the Viennese company wants Microsoft to work with an independent expert commissioned by DSIRF to examine the “issues raised”.
Microsoft recommends that
(Image: Tatiana Popova/Shutterstock.com)
Microsoft recommends customers to apply the patch against CVE-2022-22047 quickly and ensure that Microsoft Defender Antivirus is at least updated to update 1.371.503.0. Anyone who has MS Excel should check the macro settings. If the Antimalware Scan Interface (AMSI) is activated, macros can also be checked in real time. Please protect accounts with multi-factor authentication, which makes illegally copied passwords largely useless. Microsoft also reveals the known traces of a Subzero compromise that has already taken place.
After the European data protection organization Epicenter Works submitted a statement of facts to the public prosecutor, the Austrian secret service DSN (Directorate of State Protection and Intelligence) is now also conducting an investigation. Epicenter Works refers to the Criminal Code and states that exporting the “cyberweapon” without a permit would be illegal. The Austrian Ministry of the Interior states that it did not use the spyware itself.
Russia Connections
The DSIRF’s statement to voonze online is signed “DSIRF Management”, without naming. According to the Austrian company register, Drazen Mokic has been the sole managing director of DSIRF GmbH since September 2020. At that time, his co-managing director Christian Hauer left. Mokic is also Managing Director of Guardian GmbH and the DSIRF subsidiary MSL Machine Learning Solutions GmbH.
The B&C private foundation is also involved in MSL. The multi-billion dollar foundation is dedicated to promoting entrepreneurship in Austria. DSIRF GmbH, Guardian and MSL are based in a shared office in Vienna. Irony of history: The Republic’s data protection authority is also housed in the same building complex.
(Image: Daniel AJ Sokolov)
DSIRF GmbH was founded in 2016. Julian-Thomas Erdödy was its first managing director until Valentine’s Day 2020, and according to the Linkedin profile even until the end of 2020. (Another managing director only lasted half a year.) Erdödy’s Linkedin profile says that he at the same time (2017-2020) was also “Solutions Architect, Computer Vision” at a Moscow company that does not have an obvious web presence.
200 million euros financial investments
During Erdödy’s time at DSIRF, an astonishing rain of money fell for the company: up to and including 2018, the annual financial statements show zero euros in financial investments and balance sheet totals of well under one million euros. In 2019, the financial investments suddenly exploded to 200.5 million euros, the balance sheet total to over 206 million euros. And that with only six million euros in liabilities, which are completely repaid the following year. The public annual financial statements do not reveal where a small company in a shared office gets so much money in one year.
Today, Erdödy apparently works for Zurich Holding Zühlke, which, according to its website, develops “sustainable solutions for the future” through “innovations and technological progress”. There, in Switzerland, was also the original owner of DSIRF GmbH, a certain DSR Decision Supporting Information Research and Forensic AG. In the meantime, the company network has become more complex: Today, DSIRF GmbH belongs to DSR Decision Supporting Information Research Forensic GmbH (DSR), which is based in the same shared office in Vienna.
Disguised owners
There is also a connection to Russia here: DSR Managing Director Stefan Gesslbauer worked in managerial positions in Russia from 2004 to the end of 2016, for the German groups REWE and MediaSaturn. According to Gesslbauer, he was also a board member of the German-Russian Chamber of Commerce Abroad for two years.
The DSIRF mother DSR in turn belongs to Deep Dive Research Lab AG. It maintains its registered office in the same mailbox company office in Liechtenstein as Guardian AG, owner of Guardian GmbH. So the true ownership structure remains in the dark.
(ds)
