Cabinets of, banks, strategy consulting firms in Austria, the United Kingdom, or even Panama, all these organizations have been spied on by a company called DSIRF. Registered in Austria, this company exploited loopholes in and Adobe’s PDF reader to collect data from victims’ computers. These are the researchersa (MSTIC) who detected these hacks and identified their author.
The malicious tools, certificates used and a GitHub account, led the members of the MSTIC to this company which works in cybermercenary. The attack was dubbed Knotweed by. It was in May 2022 that MSTIC discovered remote code execution via Adobe Reader. It was associated with a fault zero day Windows now identified as CVE-2022-22047 and since fixed.
The vulnerability allowed elevation of privilege in order to take control of the computer. The payload was malware developed by DSRIF dubbed SubZero. It grants full control to the compromised system. It was hosted in a PDF document or an Excel file with macros sent to the victim via email.
That a private company specializing inperforming this kind of operation is nothing new. This was the case last year with the Israeli company NSO and its software for which targeted journalists, lawyers, politicians and activists. The clients of these companies are very often states.