Kaspersky has published additional details concerning The Equation Group’s toolset, and has revealed the EquationDrug cyberespionage platform as a potent and long-lasting campaign.
Originally revealed at the Kaspersky Labs Security Analyst Summit in February, the security firm said a cybercriminal group dubbed “The Equation Group” surpasses all others in complexity and techniques. Deemed the “ancestor” of Stuxnet and Flame, as Zero Days were used by The Equation Group before other threat actors — and potentially shared by them — additional details concerning the group’s activities now suggest the group may have been in operation since the 1990’s.
According to Kaspersky Lab researchers, The Equation Group uses expensive tools and sophisticated Trojans to steal data from their victims, and they also use “classic” spying techniques to deliver malicious payloads. Tools used by the group include EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish.
The threat actors use a command and control (C&C) center compromising of over 300 domains and more than 100 servers hosted in countries including the US and UK. One part of the network is EquationDrug, a full cyberespionage platform which dates back to 2003. Kaspersky says EquationDrug is the main platform used by the group in cyberespionage. EquationDrug is the main platform used by the group in cyberespionage.
EquationDrug includes a framework which allows specific modules to be deployed on the machines of victims. The platform can be extended through plugins and modules, but is pre-built with a default set of plugins which support basic spying activities — such as file theft and screenshot capture.
However, the EquationDrug platform does show elements of sophistication through the storage of stolen data inside a custom-encrypted virtual file system before it is sent to the C&C center.
When it comes to platform architecture, EquationDrug includes dozens of executables, configurations and protected storage locations. EquationDrug resembles a “mini operating system,” according to Kaspersky, due to the use of kernel-mode and user-mode components which interact with each other via a custom message-passing interface. The platform also includes a set of drivers, a platform core and individually labeled plugins. Some modules are statically linked to the platform core, while others load on demand, according to the team.
To date, Kaspersky has uncovered 30 unique plugin IDs, but admits that up to 86 other modules are still in the wild and have yet to be discovered.
“The plugins we discovered probably represent just a fraction of the attackers’ potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80. The biggest plugin ID we have seen is 0x80CA,” Kasperksky says.
The most interesting modules which have been uncovered to date contain functions such as network traffic interception and rerouting and reverse DNS resolution. In addition, some modules focus on computer management and are able to start and stop processes, load drivers and libraries, and gather information about a victim including OS version, location, keyboard layout and timezone. Other interesting functionalities include:
- Collection of cached passwords.
- Enumeration of processes and other system objects.
- Monitoring live user activity in web browsers.
- Low-level NTFS filesystem access based on the popular Sleuthkit framework.
- Monitoring removable storage drives.
- Passive network backdoor (runs Equation shellcode from raw traffic).
- HDD and SSD firmware manipulation.
- Keylogging and clipboard monitoring.
- Browser history, cached passwords and form auto-fill data collection.
The Equation Group is not the only threat actor to use an espionage platform. Regin and Epic Turla also use the same tactic in their campaigns.
An analysis of the platform suggests that developers are English-speaking. However, as noted by Kaspersky, there is a limit number of text strings so its hard to tell if the developers were native. Kaspersky also says the working hours of Equation developers tend to be within the Monday to Friday bracket, and in the UTC timezone, hours worked appear to relate to the traditional 9-5 working day.
EquationDrug has been in use for at least the past 10 years, but considering the existence of components designed to run on Windows 9x, the security researchers believe The Equation Group may have been in operation since the 1990’s. The platform, potentially used by nation-state attackers considering its sophistication, budget and size, separates itself from traditional cybercriminals due to the groups’ sophisticated framework and selection of particular victims. Kaspersky says:
“It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools. You can make a basic browser password-stealer or a sniffer within days. However, nation-states are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to normal users.
While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.”