An adept and well-resourced cyberespionage group known as Equation has been targeting organizations in a number of countries with a range of highly developed malware tools that go to great lengths to evade detection. New research from our peers at Kaspersky Lab has brought the group’s activities and tools to public attention. Symantec products detect the malware currently known to be used by Equation.
The Equation group has used a range of different malware tools to mount its operations. Targeted computers are often compromised initially with malware that acts as a reconnaissance tool, gathering information about the infected computer and keeping a back door open, allowing for the installation of further malware if the computer is identified as something of interest. This is a common tactic adopted by cyberespionage groups. For example, the group behind the Turla Trojan usually initially infects its victims with the Wipbot Trojan before infecting them with Trojan Turla if it decides the computer is worthy of interest.
The main tool used for this purpose appears to be Infostealer.Micstus, which is also known as “DoubleFantasy”. Trojan.Tripfant (also known as “TripleFantasy”) has similar capabilities and may be a replacement for Micstus.
Equation has used a succession of advanced, multipurpose Trojans as its main malware tools. Trojan.Grayphish, which is also known as “GrayFish”, is believed to be the group’s current weapon of choice. It has a complex structure and stealthy characteristics. Grayphish includes a bootkit which allows the malware to take control of the entire Windows boot process. Highly stealthy, Grayphish uses an encrypted virtual file system hidden inside the Windows registry.
This appears to have replaced the older Trojan.Equdrug (also known as “EquationDrug”) which was favored until recently. Equdrug in turn appears to have replaced the older Backdoor.Lassrv.B. Also known as “EquationLaser”, this Trojan seems to be one of the early workhorses used by the group until it was phased out.
Grayphish and Equdrug have a modular structure. Aside from standard modules, a number of specialized features can also be employed. Among this is a highly sophisticated and rarely used module that allows the malware to reprogram the firmware on a range of popular hard disks, providing the attackers with a persistent presence that can survive disk reformatting. Symantec detects this module as Packed.Generic.483.
In addition to these powerful Trojans, Equation has employed a number of specialist tools. Among these are Trojan.Grokey a custom keylogger (also known as “Grok”) and W32.Fanni, which is also known as “Fanny worm”. This worm’s chief purpose appears to be the targeting of air-gapped networks. It can receive commands and exfiltrate data through infected USB sticks. Fanny used two zero day exploits that were also used in the Stuxnet attacks. The exploits were used in Fanny prior to Stuxnet indicating that Equation had prior knowledge of the vulnerabilities. Another similarity lies in the fact that Stuxnet was also designed to attack air-gapped networks.
Symantec and Norton products have the following detections in place against malware used by the Equation group:
Prior to this, Symantec detected Equation malware with a range of detections including Trojan.Tracur, Backdoor.Trojan, Trojan Horse, Trojan.Gen.2, and W32.Stration@mm.