Inside nls_933w.dll, the Equation APT Persistence Module

The persistence module used by the Equation APT Group uncovered by researchers at Kaspersky Lab has been called the ultimate cyberattack tool.

CANCUN – The names called out like beacons from the screen: Samsung; Seagate; Western Digital; Hitachi; Maxtor. Hardware makers were in the crosshairs of the Equation APT group and it was perhaps the worst possible scenario imagined by researchers looking at the frightening and extensive storehouse of capabilities within the attack platform.

By extending its reach into hard drive firmware, for example, this espionage gang had perpetual persistence on compromised machines. No matter of clean-up efforts could scrub module nls_933w.dll from hardware. None.

“This is an ultimate persistence mechanism, and it has the ultimate resilience to removal. This is a next level of persistence never seen before,” said Vitaly Kamluk, principal security researcher with Kaspersky Lab’s Global Research and Analysis Team. “This is unique and the first time we’ve seen that level of complexity from an advanced actor.”

On Monday during a talk at the Security Analyst Summit, Kamluk called the module an ultimate cyberattack tool, a cornerstone of the so-called Equation group, a 15-year-old operation linked to Stuxnet and Flame by Kaspersky researchers. Equation’s cache of attacks, including several zero-day exploits, has been used for espionage against sensitive targets such as governments, energy companies, embassies, telecoms and many others primarily is Russia, Syria, Iran and Pakistan.

The module, however, is rarely deployed, according to Kamluk.

“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it,” Kamluk said. “It’s a precious plugin that’s used only in specific cases with somebody very important.”

Persistence is its main job, and the module does it well. Kamluk said it is likely still in use.

“It’s extremely hard to detect. From the software level it’s impossible,” said Kamluk. “You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.”

In a report about Equation, the module has two functions: reprogramming the HDD firmware with a custom payload; it also provides an API into hidden storage sectors of the hard drive. This not only gives the attackers eternal persistence that allows them to survive disk formatting and operating system reinstalls, but they also have undetectable persistent storage inside the hard drive.

“This module gives us a clear understanding of their capabilities,” Kamluk said.

He explained that nls_933w.dll contains a driver that drops the malware; the driver is used to interact with the hard drive from the kernel level, Kamluk said.

“It’s not that the code that was so sophisticated; it used certain sequences of ATA commands to interact with the hard drive, but the sophisticated part was not exposed. It was the [reprogrammed] firmware itself,” Kamluk said. “To master writing the firmware, it takes years to do that. We just saw that the level of sophistication is high because of what they’re capable of doing, but we don’t have the firmware itself.”

Kamluk said that the Equation group is not necessarily exploiting a vulnerability in the traditional sense, but a weakness in the design of the hard drives and how they allow vendors to push firmware updates.

“They left the door open and it may have been open for many years. The trick is that you have to have the full description, full reference of what is the current firmware on the hard drive and how it works. You have to know how to properly write and interact with the equipment to be able to successfully deploy new code. This is extremely complicated and requires a lot of skills and internal knowledge.”

Kamluk speculates the attackers likely had access to internal, proprietary manuals and documentation for each respective vendor. Likely these manuals were stolen, either by an insider or from a separate malware attack.

“They are not exploiting an error in the code. It’s a flaw in the design,” Kamluk said.

As Kaspersky researchers began looking at Equation, finding hundreds of files, all types of plug-ins, this particular module stood out because of the strings discovered that mention the varied hard drive vendors.

“It took months for us to analyze and figure out what this interaction is,” Kamluk said. “We had to learn different ATA commands and how to write to different hardware manufacturers. These are proprietary algorithms and protocols of communication that we had to learn. That’s why it took months for us to understand what this module is doing.”

Suggested articles


  • Chris on

  • Nick on

    What NSA isusing now? Probably they using bugs in phisical CPU's - something what never will be fixed. In this way they don't have to care abou anything.
  • Dr. Hilliard Haliard on

    Ok, so reformatting and clean install no longer works. Do I need to blow up the HD now?
  • Tux on

    "...No matter of clean-up efforts could scrub module nls_933w.dll from hardware. None..." Why don't they mention that it's a Windows malware? Install Linux and have no troubles.
    • ken on

      It's a low level module and the nsa have some undetectable and rare process for linux kernel. As said the only way to remove it is to crush the hdd. Have a linux distro doesn't solve this.
  • Antonio Braganca on

    Brazil is only important for the water of Amazonas River !!! :)
  • Dimitry on

    Run linux as your host OS. Then run windows as a virtual OS on top of linux. Problem solved!?
  • EnemaCombatant on

    Uh ... how about re-flashing the firwmare with (gasp) original OEM firmware. Or ... (double gasp) ... are we sure the spooks haven't already infiltrated those manufacturers. The cost to infiltrate a given manufacturers operational facilities and plant the code into the manufacturing floor EEPROM programmers would be pretty much cheaper than trying to spend 'years to reverse engineer'. The firmware is ALREADY AVAILABLE from the OEMs. All they had to do was wire sniff the protocol commands as they were issued by the Windows-based hard drive firmware flashing tool. Doh! Now, they learned HOW TO SPEAK the firmware language to the drives (using the ATA command set, no big surprise). So why don't people just fix this? The normal, rationale way would be to REFLASH the firmware with a specific known-good (e.g. master) copy of the firmware desired. Problem solved. Unless, of course: (1) The firmware from the OEM isn't clean (see my note above) (2) The firmware overwrite doesn't overwrite the code (3) The firmware is now prevented (but signaled as 'good') - much harder to do as it essentially requires that you mimmick the ATA command set to fake a good flash. Remember DirecTV Black Sunday?
  • Joe on

    While incredibly specialized embedded assembly language and reverse engineering skills would have been required to develop this, it appears that fairly common third party hardware, plus some fast logic like an FPGA or custom high speed micro might be used both to prevent the initial firmware re-flash, and also prevent the covert control of an existing firmware based infection.
  • Erwin on

    While sophisticated, it is not completely out of research for a skilled hacker:

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.