A European private-sector offensive actor (PSOA) has developed malware used in a series of targeted attacks against Microsoft customers in Europe and Central American countries from July 27, 2022, Microsoft has said.

The APT group, named “KNOTWEED E” by Microsoft, is targeting several strategic industries and high-profile customers. All of the victims that Microsoft has identified so far are located in Europe or Central American counties – meaning there are likely more attacks than the company has found.

The KNOTWEED E attacks use a relatively old technique, leveraging phishing emails and staged websites to target users with a Remote Desktop Protocol (RDP) exploit. The RDP flaw was patched on March 12, 2018.

According to Microsoft, the phishing emails are directed at senior executives in the energy industry and contain a link to a “poisoned” website.

The malicious RDP payload that KNOTWEED E uses includes a stage 0 binary that contains an embedded 32-bit Windows utility library with an embedded library of exploits. Many of these exploits are publicly disclosed or expired, but on July 27, 2022, this group used a zero-day flaw (CVE-2022-4125) that had not yet been identified in the wild. The exploit code in this case was developed by and is linked to Hacking Team, an Italian company that sells offensive security tools to governments and law enforcement agencies.

The malicious code dropped by the exploit embeds itself as a module in svchost.exe, a core Windows service that loads kernel32.dll and other Windows APIs and services. This is the second time Microsoft has spotted this technique: It was also used in attacks like vDos, conducted by the Lazarus Group targeting South Korea, on October 2016.

These modules may be zero-day exploits simply due to classification, but it is impossible to say for sure at this point.

‍

Source: Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - AlienVault - Open Threat Exchange