Inside nls_933w.dll, the Equation APT Persistence Module

The persistence module used by the Equation APT Group uncovered by researchers at Kaspersky Lab has been called the ultimate cyberattack tool.

CANCUN – The names called out like beacons from the screen: Samsung; Seagate; Western Digital; Hitachi; Maxtor. Hardware makers were in the crosshairs of the Equation APT group and it was perhaps the worst possible scenario imagined by researchers looking at the frightening and extensive storehouse of capabilities within the attack platform.

By extending its reach into hard drive firmware, for example, this espionage gang had perpetual persistence on compromised machines. No matter of clean-up efforts could scrub module nls_933w.dll from hardware. None.

“This is an ultimate persistence mechanism, and it has the ultimate resilience to removal. This is a next level of persistence never seen before,” said Vitaly Kamluk, principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. “This is unique and the first time we’ve seen that level of complexity from an advanced actor.”

On Monday during a talk at the Security Analyst Summit, Kamluk called the module an ultimate cyberattack tool, a cornerstone of the so-called Equation group, a 15-year-old operation linked to Stuxnet and Flame by Kaspersky researchers. Equation’s cache of attacks, including several zero-day exploits, has been used for espionage against sensitive targets such as governments, energy companies, embassies, telecoms and many others primarily is Russia, Syria, Iran and Pakistan.

The module, however, is rarely deployed, according to Kamluk.

“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it,” Kamluk said. “It’s a precious plugin that’s used only in specific cases with somebody very important.”

Persistence is its main job, and the module does it well. Kamluk said it is likely still in use.

“It’s extremely hard to detect. From the software level it’s impossible,” said Kamluk. “You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.”

In a report about Equation, the module has two functions: reprogramming the HDD firmware with a custom payload; it also provides an API into hidden storage sectors of the hard drive. This not only gives the attackers eternal persistence that allows them to survive disk formatting and operating system reinstalls, but they also have undetectable persistent storage inside the hard drive.

“This module gives us a clear understanding of their capabilities,” Kamluk said.

He explained that nls_933w.dll contains a driver that drops the malware; the driver is used to interact with the hard drive from the kernel level, Kamluk said.

“It’s not that the code that was so sophisticated; it used certain sequences of ATA commands to interact with the hard drive, but the sophisticated part was not exposed. It was the [reprogrammed] firmware itself,” Kamluk said. “To master writing the firmware, it takes years to do that. We just saw that the level of sophistication is high because of what they’re capable of doing, but we don’t have the firmware itself.”

Kamluk said that the Equation group is not necessarily exploiting a vulnerability in the traditional sense, but a weakness in the design of the hard drives and how they allow vendors to push firmware updates.

“They left the door open and it may have been open for many years. The trick is that you have to have the full description, full reference of what is the current firmware on the hard drive and how it works. You have to know how to properly write and interact with the equipment to be able to successfully deploy new code. This is extremely complicated and requires a lot of skills and internal knowledge.”

Kamluk speculates the attackers likely had access to internal, proprietary manuals and documentation for each respective vendor. Likely these manuals were stolen, either by an insider or from a separate malware attack.

“They are not exploiting an error in the code. It’s a flaw in the design,” Kamluk said.

As Kaspersky researchers began looking at Equation, finding hundreds of files, all types of plug-ins, this particular module stood out because of the strings discovered that mention the varied hard drive vendors.

“It took months for us to analyze and figure out what this interaction is,” Kamluk said. “We had to learn different ATA commands and how to write to different hardware manufacturers. These are proprietary algorithms and protocols of communication that we had to learn. That’s why it took months for us to understand what this module is doing.”

Suggested articles