"The exploit chain starts," explained Microsoft,"with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL.
"Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved."Other attacks were tracked in 2021, utilizing vulnerabilities patched that year. One deployment was traced to an Excel file masquerading as a real estate document containing a malicious Excel 4.
Once in, the malware lurks in memory and can capture screenshots, perform keylogging, exfiltrate files, run a remote shell and download plug-ins from Knotweed's C2 server. Investigators have identified a host of IP addresses under the control of Knotweed. Depressingly, Microsoft noted"this infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing."
eschewsystemd linuxkitten