Researchers shared technical details of NSA Equation Group’s Bvp47 backdoor

Pangu Lab researchers disclosed details of the Bvp47 backdoor that was used by the US NSA Equation Group.

Researchers from The China’s Pangu Lab have disclosed details of a Linux top-tier APT backdoor, tracked as Bvp47, which is associated with the U.S. National Security Agency (NSA) Equation Group.

The name “Bvp47” comes form numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm.

The Bvp47 backdoor was first discovered in 2013 while conducting a forensic investigation into a security breach suffered by a Chinese government organization.

The experts extracted the backdoor from Linux systems “during an in-depth forensic investigation of a host in a key domestic department.”

The malware appeared as a top-tier APT backdoor, but in order to further investigate the malicious code required the attacker’s asymmetric encrypted private key to activate the remote control function.

In 2016 and 2017, the hacking group The Shadow Brokers leaked a bunch of data allegedly stolen from the Equation Group, including many hacking tools and exploits.

At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

Pangu Lab researchers discovered the Bvp47 backdoor within the data leaked by The Shadow Brokers.

The leaked data revealed that the Equation Group hit more than 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy in a time span of ten years.

The group targeted multiple industries, including governments, telecom, aerospace, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies developing encryption technologies.

Pangu Lab has tracked the attacks involving the Bvp47 backdoor as “Operation Telescreen,” the malicious code was developed to allow operators to achieve long-term control over infected devices.

“The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process” reads the report published by the experts.

The experts believe that there were no defense against the network attack capability of the backdoor that is equipped by zero-day vulnerabilities. 

Technical details of the backdoor are included in the Pangu Lab’s report, it also provides insights on the link between the Equation Group and the US NSA.

The attribution to the Equation Group is based on overlaps with exploits contained in the encrypted archive file “eqgrp-auction-file.tar.xz.gpg” published by the Shadow Brokers after the 2016 failed auction.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]