Equation APT Group Attack Platform A Study in Stealth

The EquationDrug cyberespionage platform is a complicated system that is used selectively against only certain target machines, one that can be extended via a collection of 116 malware plug-ins, researchers at Kaspersky Lab said.

Spies thrive only when they’re able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we’re talking about the physical world, or digital.

The recently uncovered Equation APT group is prime example of the investment nation-state sponsored attackers make in stealth. The group, which researchers at Kaspersky Lab speculate has been active since 2001—perhaps as far back as 1996—took great pains to avoid detection with this super valuable espionage platform. It was selective about against whom it was deployed, found unique ways to store stolen data, and developed more than 100 plug-ins, each with a specific function, that are deployed only to certain targets holding certain information.

Equation, announced in February during the Kaspersky Security Analyst Summit, has been linked to the developers of Stuxnet, Flame and other advanced actors. It has one of the biggest malware and exploit arsenals at its disposal, including one of the first modules enabling attackers to reprogram HDD or SSD firmware from more than a dozen vendors.

Today, researchers at Kaspersky Lab released a deeper analysis of the older attack platform used by the Equation group. EquationDrug is a complete platform that is selectively installed on targets’ computers. It is used to deploy any of 116 modules (Kaspersky says it has found only 30 so far); the modules support a variety of cyberespionage functions ranging from data exfiltration to monitoring a target’s activities local activities and on the Web.

“The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins,” Kaspersky researchers wrote in a report. “Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.”

The 30 modules analyzed by Kaspersky represent a wide cut of capabilities present in the EquationDrug platform. Many of the modules perform system-level functions, gathering data specific to the target computer such as operating system versions, time zone details, Windows management instrumentation, and much more. There are also modules that allow the attackers to manage target computers, enabling them to manipulate processes, load drivers and libraries or manage files and directories. Network traffic can be stolen or re-routed; there are modules for tampering with DNS resolution, for example.

Yet other modules keep tabs on user activity, learning what network shares and resources the machine has access to, steal cached passwords, monitor live user activity in web browsers and browser history, monitor removable storage drive usage, log keystrokes and clipboard storage, and run a passive backdoor that runs Equation shellcode from raw traffic.

EquationDrug is an older version of the Equation attack platform; it cannot run on modern operating systems, Kaspersky Lab said, because there are checks as to whether the OS is newer than Windows XP/2003. Some plugins support Windows 95/98/ME machines. The updated GrayFish platform is used for newer versions of Windows.

Kaspersky researchers said they also studied code artifacts and analyzed timestamps inside EquationDrug, concluding from a limited number of text strings they were able to deobfuscate that the attackers are native English speakers. The link timestamps also demonstrate its developers generally worked a Monday through Friday 9-5 work week in the UTC-3 or UTC-4 time zone.

While Equation demonstrates some of the same sophistication used by other APT, and even some criminal groups, it went to great lengths to hide itself while remaining stable and reliable. For example, the attackers’ use of the firmware module gives them never-ending persistence on a computer, while another module creates a hidden and encrypted storage partition on the hard drive where stolen data is kept that is invisible to the target.

“The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication,” Kaspersky researchers wrote. “It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools.”

The report also shares technical details on the 30 plugins discovered so far, as well as information on libraries, sniffers, backdoors and other information that can be used as indicators of compromise.

Suggested articles