EquationDrug, the hacking platform of the Equation Group APT

Experts at Kaspersky Lab published a detailed analysis of the EquationDrug platform and its modules developed by the Equation Group APT.

Recently experts at Kaspersky Lab have uncovered the Equation Group hacking crew, the most sophisticated ever APT. Security researchers at Kaspersky Lab revealed that the capabilities of the Equation Group surpass anything known in terms of sophistication of hacking techniques, the researchers dubbed the hacking team the Equation Group because of their attitude in the use of encryption algorithms and obfuscation methods.

Based on the information related to the numerous cyber espionage campaigns analyzed by the experts at Kaspersky over the years, the experts hypothesized the involvement of a government.

“The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication,” explained the Kaspersky experts. “It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools.”

Part of the security community considers the National Security Agency (NSA) could be linked to the Equation Group, though Kaspersky never pointed the finger at the US intelligence.

The Equation APT group seems to be active since 2001, perhaps as far back as 1996, this means that it has developed over the years the cyber capabilities to avoid detection.

Very interesting the use of the firmware implants to maintain never-ending persistence on a targeted system.

“The Equation Group also had access to zero-days before they were used by operators behind Stuxnet and Flame campaigns. According to the researchers at Kaspersky Lab, on seven exploits used by the Equation Group in their malware and exploit kit, at least four of them were used as zero-days. For example, the experts mentioned a malicious code dubbed Fanny, which was used by the Equation Group in 2008 when it exploited two zero-days, later introduced into the Stuxnet variants detected in June 2009 and March 2010. This is proof that the hacking team had access to previously unknown flaws before any other group of hackers.” I wrote in a comparative analysis between hacking tools developed by the Equation Group and NSA Tao unit.

Researchers at Kaspersky Lab are still investigating on this APT and released a new deeper analysis of the older attack platform used by the Equation group.

Let’s start with the consideration that bad actor behind the Equation Group has developed a complete hacking platform, dubbed EquationDrug, that’s able to produce selective agents to target specific platforms, process manipulation of targets, drivers and library loading and traffic hijacking.

The EquationDrug is the predecessor of another powerful hacking platform used by the Equation Group, the GrayFish. It cannot be used for OS after the Windows XP/2003.

The experts discovered that EquationDrug allowed the deployment at least of 116 different modules that implements sophisticated cyberespionage functions ranging from data exfiltration to target monitoring. Kaspersky experts analyzed 30 different modules, among the capabilities implemented by the EquationDrug there were system-level functions, data exfiltration modules for specific targets,

“The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins,” Kaspersky researchers wrote in a report. “Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.”

The experts at Kaspersky Lab analyzed code artifacts and timestamps related to the EquationDrug, they speculate that coders are native English speakers that worked a Monday through Friday 9-5 work week in the UTC-3 or UTC-4 time zone.

The report includes the technical analysis for the 30 modules of the EquationDrug platform, you cannot miss it.

Pierluigi Paganini

(Security Affairs –  Equation Group, EquationDrug)