equation group
February 25, 2015

Part II: Solving the mystery of shadow hacker organization The Equation Group

Wade Sims for redOrbit.com - Your Universe Online

This is a four-part series. Check out Part I if you missed it.

If not, on to Part II:

“Whoa. Déjà vu.” – Neo, The Matrix

Although Kaspersky Lab stopped short of fingering the NSA as the masterminds behind Equation Group, its report left an NSA-shaped dotted line for the rest of us to fill in. The size and sophistication of Equation Group, which operated hundreds of servers and domains for managing their various malware platforms, lends credit to the idea that the group was large and well-financed enough to be a state-sponsored operation. Most infected computers are in countries of interest to U.S. intelligence, like China, Russia, Pakistan, Iran, and Syria.

Most telling, however, is the similarity of sophistication and techniques used between Equation Group’s malware platforms and those of the Stuxnet and Regin viruses, which Edward Snowden revealed were used by the NSA. One of the tools in the Equation Group malware platform is a state of the art keylogger that Equation Group refers to in the malware source code as “Grok,” which is also the name of an NSA-developed keylogger as leaked by Edward Snowden. Another source code reference mentions code words “STRAITACID” and “STRAITSHOOTER” which bear significant resemblance to a known NSA malware platform known as “STRAITBIZZARE.” Additionally, Equation Group used at least four zero-day vulnerabilities – software holes unknown to the vendor and to the general public – two of which were incorporated into the Stuxnet virus.

Another malware distributable of the Equation Group platform known as “Fanny” infected USB keys to perform reconnaissance on sensitive air-gapped networks like that of Iran’s uranium enrichment facility. The program behaved similarly to, and even used many of the same exploits as, the NSA-deployed Stuxnet virus. In fact, some of the original computers used to distribute the Stuxnet worm to Iran’s Natanz facility were infected with Equation Group malware, leading researchers to wonder if the Equation Group malware was used to deliver the Stuxnet payload.

Couple the similarities with the highly advanced skills of the Equation Group members and the group’s ability to perform covert interdiction of U.S. mail, and one starts to see the digital fingerprints of the NSA.

However, the NSA may not be the only player involved; Kaspersky noted that at least one infected computer contained both an Equation Group malware package and the Regin malware package that performed essentially the same functions, leading researchers to think that the APTs behind both packages may not be the same entity.

“Choice is an illusion created between those with power and those without.” –Merovingian, The Matrix Reloaded

Equation group malware family

Credit: Kapersky

Rather than infect computers with a single virus, APTs will infect computers with malware platforms that contain a variety of tools all used to accomplish different nefarious things. Like an evil version of Microsoft Office, each malware program has its own specialty but can interoperate with other malware programs in the same package.

Kaspersky has found at least six malware programs in the Equation Group’s malware platform.

EQUATIONLASER is an early implant mechanism used from 2001 to 2004, often embodied as a Trojan dropper used to infect Windows 95/98 machines. The malware was designed to deliver the Equation Group payload to a machine. It has since been upgraded to the EquationDrug malware.

DOUBLEFANTASY is a new Trojan-style malware often delivered through a web-based exploit such as a security hole in Java. DoubleFantasy gets dropped onto machines relatively indiscriminately. The DoubleFantasy Trojan then activates and determines whether the machine it is on is an intended target. If the machine is a target, it surreptitiously installs either the EquationDrug or GrayFish malware package.

EQUATIONDRUG is a highly sophisticated attack tool used from 2003 to 2013. In addition to using virtual file systems, EquationDrug is one of two malware packages known to be able to rewrite hard drive firmware, making itself immune to hard drive reformatting. The malware is also capable of being dynamically uploaded and unloaded by attackers at will.

GRAYFISH replaced EquationDrug as the most sophisticated attack tool in Equation Group’s arsenal. The malware encrypts itself into the operating system’s registry and uses a bootkit to gain execution on startup. Like EquationDrug, GrayFish is capable of reflashing hard drives but ups the number of drive models from six to twelve.

To date, GrayFish is the most complex malware platform ever seen. Security researchers at Kaspersky only know a fraction of its capabilities, since much of its code sits behind four to five layers of as-of-yet unbroken encryption.

The fact that GrayFish can gain control of an operating system through a bootkit, injecting its code into the boot record, means that the malware may be capable of absolutely controlling the computer. “In fact, after infection, the computer is not run by itself anymore: it is GrayFish that runs it step by step, making the necessary changes on the fly,” the Kaspersky report explains.

As GRAYFISH starts Windows, the malware engages in multi-stage decryption, transforming encrypted code into weaponized code for deployment within Windows, running modules stored within the Windows registry. Each stage is dependent upon the proper decryption and execution of the previous stage; if any error occurs, GrayFish will assume that it has been compromised and will self-destruct.

grayfish architecture

The Volume Boot Record (VBR) is responsible for loading an operating system like Windows. GrayFish injects a piece of code called the Pill (a Matrix reference to the red pill/blue pill choice) which hijacks the operating system and takes control of it similar to how Morpheus and crew “hijacked” Neo’s feed from control by the machines. If the Pill cannot be swallowed by the bootloader for some reason, GrayFish falls back to a secondary, less secure polymorphic executable called BBSVC. Polymorphic executables fill themselves with random data, making their true intentions difficult to detect. Continuing in Matrix analogies, BBSVC is similar to making a cell phone call to the outside – you could expose the system to where you are, but you might be safe in the obscurity of millions of phone calls. Both methods lead to execution of the platform kernel, fvexpy.sys, which presumably gives GrayFish the ability to dodge bullets and fly. (Credit: Kaspersky)

FANNY is a 2008-era computer worm that exploited two zero-day vulnerabilities in Windows that were also used by Stuxnet. Like Stuxnet, Fanny self-replicates from an infected USB stick onto the operating system whenever the USB stick is plugged into the computer. The worm would then collect network information about all computers on the same intranet and save that information to a hidden volume on the USB drive, making the worm extremely useful for mapping air-gapped networks like infrastructure control networks, sensitive financial information servers, and uranium enrichment operations. Whenever the USB stick was plugged back into an Internet-enabled computer, the worm would upload the collected data to servers owned by the Equation Group and download any attack commands against computers on the surveilled networks. If the USB stick were ever reinserted into the air-gapped computer, the attack commands would be executed.

air gap fanny

Fanny requires implementation of Pac-Man’s Blinky the Ghost, the Hat Man specter, or a footless bank-thief to penetrate an air-gapped network. (Credit: Kapersky)

TRIPLEFANTASY is a backdoor program sometimes used in tandem with GrayFish. The malware may be a more recent validator-style plugin and upgrade to the DoubleFantasy validator.

In case you missed it, check out Part I of this four-part series.

Or, move on to Part III.


Follow redOrbit on TwitterFacebookGoogle+, Instagram and Pinterest.