Advanced Threat Protection

Jun 20, 2017 10:11 AM

Brandon Noble

In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps.

Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.

Lost In Translation

On April 14, 2017 The ShadowBrokers released a collection of files , containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products and then deployed additional patches for some of their older OS'es in their June Security updates.

You can see our coverage for the toolset, as well as the older vulns below.
For a full list of our coverage for Microsoft Vulns, please see: Symantec product detections for Microsoft monthly Security Bulletins

Exploit Name	CVE	Targeted Service	Ref	IPS Signature Name	AV Signature Name	AV Signature Date
ETERNALROMANCE-1.3.0	CVE-2017-0144	Microsoft Windows SMBv1 Service		Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144) Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)	Hacktool	20170414.02
ETERNALROMANCE-1.4.0	CVE-2017-0145	Microsoft Windows SMBv1 Service		Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt	Hacktool	20170414.02
ENTERNALSYNERGY	CVE-2017-0143	Microsoft Windows SMBv1 Service	MS17-010	Sig ID: 30018 OS Attack: MSRPC Remote Management Interface Bind	Hacktool	20170414.02
	CVE-2017-0144	Microsoft Windows SMBv1 Service	MS17-010	Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144) Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
	CVE-2017-0145	Microsoft Windows SMBv1 Service	MS17-010	Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
	CVE-2017-0146 CVE-2017-0147		MS17-010	Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2) Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
	CVE-2017-0148		MS17-010	Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
ETERNALBLUE	CVE-2017-0143	Microsoft Windows SMBv1 Service		Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)	Hacktool	20170414.02
ETERNALCHAMPION	CVE-2017-0146 CVE-2017-0147 CVE-2017-0148	Microsoft Windows SMBv1 Service		Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2) Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)	Hacktool	20170414.02
ECLIPSEDWING	CVE-2008-4250	Micorosft Windows Server Service	MS08-067	Sig ID: 23179 (OS Attack: MSRPC Server Service RPC CVE-2008-4250) Sig ID: 23180 (OS Attack: MSRPC Server Service RPC CVE-2008-4250 2)	Hacktool	20170414.02
EDUCATEDSCHOLAR	CVE-2009-2526 CVE-2009-2532 CVE-2009-3103	Microsoft Windows SMBv2 Service	MS09-050	Sig ID: 23497 (OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103)	Hacktool	20170414.02

EMERALDTHREAD	CVE-2010-2729	Microsoft Windows Print Service	MS10-061	Sig ID: 23897 (Attack: Windows Spooler Service CVE-2010-2729)	Hacktool	20170414.02
ESKIMOROLL	CVE-2014-6324	Microsoft Windows Kerberos KDC	MS14-068	No Signature Available	Hacktool	20170414.02
EASYBEE	CVE-2007-1675	Mdaemon		Sig ID: 30015 (Attack: MDaemon WorldClient Attack)	Hacktool	20170414.02
ENGLISHMANDENTIST	CVE-2009-0099	Microsoft Outlook Exchange Web Access		Sig ID: 30014 (Attack: MS Exchange Server RCE)	Hacktool	20170414.02
EXPLODINGCAN	CVE-2017-7269	Microsoft Windows Server WebDav Service		Sig ID: 29071 (Web Attack: IIS Server CVE-2017-7269)	Hacktool	20170414.02
EMPHASISMINE-3.4.0	CVE-2017-1274	IBM Domino		No Signature Available	Hacktool	20170414.02
EWOKFRENZY-2.0.0	CVE-2007-1675	IBM Domino		Sig ID: 21710 HTTP MDaemon IMAP Server Auth BO (DCS Only - not available in SEP)	Hacktool	20170414.02

Additional tools reported to be released by Equation

Exploit Name	CVE	IPS Signature Name	AV Signature Name	AV Signature Date
EARLYSHOVEL	CVE-2003-0694 CVE-2003-0681	Sig ID: 24208 Attack: Sendmail Denial Of Service CVE-2003-0694	Linux.Valsheesy
EXTRABACON	CVE-2016-6366	Sig ID: 29822 Attack: Cisco Adaptive Security Appliance Buffer Overflow
EPICBANANA/JETPLOW	CVE-2016-6367	No Signature Available/Possible
BENIGNCERTAIN	CVE-2016-6415	Sig ID: 29654 Attack: Cisco IKE CVE-2016-6415 (not available in SEP only ATP)	Hacktool.Equation
EBBISLAND ELVISCICADA	CVE-2001-0236	Sig ID: 20085 SNMP SnmpXdmid BO (not available in SEP only DCS)	Hacktool	20170412.032
EBBSHAVE EBBISLAND	CVE-2017-3623	No Signature Available/Possible	Hacktool	20170412.032
EXTREMEPARR	CVE-2017-3622	No Signature Available/Possible
ECHOWRECKER	CVE-2003-0201	Sig ID: 23160 Attack: Shellcode Download Activity 2	Hacktool
EVFR	CVE-2003-0109	No Signature Available/Possible	Trojan.Gen.2	20170415.022
EGREGIOUSBLUNDER	CVE-2016-6909	No Signature Available/Possible	Hacktool.Equation
ELV	CVE-2006-3439	Sig ID: 21702 OS Attack: MS Windows Server Service NetAPI CVE-2006-3439	Trojan.Gen.2	20170414.016
ESCALATEPLOWMAN	CVE-2016-7089	No Signature Available/Possible
ESKE	CVE-2003-0352	Sig ID: 20386 OS Attack: MS RPCSS Attack CVE-2004-0116 2	Hacktool	20170416.008
ELEGANTEAGLE TOFFEEHAMMER	CVE-2017-5613	No Signature Available/Possible	Trojan.Malscript and Linux.Trojan.	20170410.021
CATFLAP	CVE-2001-0797 CVE-2002-1689	Sig ID: 20037 Remote BinLogin BO 1 Sig ID: 20038 Remote BinLogin BO 2	Hacktool	20170413.004
EE	CVE-2011-4130	No Signature Available/Possible
wuftpd	CVE-2001-0550	Sig ID: 20004 WuFTPd Heap BO
ESMARKCONANT	CVE-2004-1315	Sig ID: 20752 Web Attack: PHPBB URL Decode SQL Injection
ERRGENTLE	CVE-2001-0690	No Signature Available/Possible
Telex	CVE-1999-0192	No Signature Available/Possible	Hacktool	20170421.006
	PTRACE	FORKPTY	km3	CVE-2003-0127	No Signature Available/Possible

Dont Forget Your Base

On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.

All coverage information is based on available virus definitions from June 20, 2017

Tools	AV coverage
CHARMHAMMER	Hacktool.Equation
CHARMPENGUIN	Hacktool.Equation
CHARMRAZOR	Hacktool.Equation
CONSTANTMOVE	Not Malicious
CRYPTTOOL	Not Malicious
CURSEBINGO	Hacktool.Equation
CURSEBONGO	Hacktool.Equation
CURSECHICKEN	Hacktool.Equation
CURSECLASH	Hacktool.Equation
CURSEDEVO	Hacktool.Equation
CURSEFIRE	Hacktool.Equation
CURSEFLOWER	Hacktool.Equation
CURSEGISMO	Hacktool.Equation
CURSEHAPPY	Hacktool.Equation
CURSEHELPER	Hacktool.Equation
CURSEHOLE	Hacktool.Equation
CURSEHUMMER	Hacktool.Equation
CURSEHYDRANT	Hacktool.Equation
CURSEJOKER	Hacktool.Equation
CURSEKETTLE	Hacktool.Equation
CURSEKILN	Hacktool.Equation
CURSELION	Hacktool.Equation
CURSEMAGIC	Hacktool.Equation
CURSENAG	Hacktool.Equation
CURSEQUAKE	Hacktool.Equation
CURSERAZOR	Hacktool.Equation
CURSEROOT	Hacktool.Equation
CURSESALSA	Hacktool.Equation
CURSESLEEPY	Hacktool
CURSETAILS	Hacktool.Equation
CURSETINGLE	Hacktool.Equation
CURSEWHAM	Hacktool.Equation
CURSEYO	Backdoor.Equation
CURSEZINGER	Hacktool.Equation
DAIRYFARM	Not Malicious
DEWDROP	Hacktool.Equation
DITTOCLASS	Not Malicious
DRAFTBAGGER	Not Malicious
DUBMOAT	Hacktool
EARLYSHOVEL	Linux.Valsheesy
EBBISLAND	Hacktool
EBBSSHAVE	Hacktool
ECHODOLPHIN	Not Malicious
EGGBARON	Not Malicious
ELATEDMONKEY	Trojan.Malscript
ELECTRICSLIDE	Trojan.Malscript Linux.Trojan
ELEGANTEAGLE	Trojan.Malscript Linux.Trojan
ELGINGAMBLE	Hacktool
ELIDESKEW	Not malicious
ENDLESSDONUT	Hacktool
ENEMYRUN	Hacktool
ENGLANDBOGY	Not malicious
ENSA	Not malicious
ENTERSEED	Hacktool
ENTRYMANOR	Not malicious
ENVISIONCOLLISION	Trojan.Malscript
EPICHERO	Linux.Cheepori
EXCELBERWICK	Not malicious
EXPITATEZEKE	Not malicious
EXTREMEPARR	Not malicious
JACKPOP	Trojan.Malscript
MAGICJACK	Linux.Magicjack
MYSTICTUNNELS	Hacktool
ORLEANSTRIDE	Hacktoo.Equation
POPTOP	Not malicious
PORK	Hacktool
SECONDDATE	Hacktool
SHENTYSDELIGHT	Hacktool
SICKLESTAR	Not malicious
SKIMCOUNTRY	Hacktool.Equation
SLYHERETIC	Hacktool.Equation
STOICSURGEON	Hacktool.Equation
STRIFEWORLD	Hacktool.Equation
SUAVEEYFUL	Hacktool
SUCTIONCHAR	Hacktool.Equation
VIOLETSPIRIT	Under Investigation
WATCHER	Hacktool.Equation
YELLOWSPIRIT	Not Malicious

Please note that this is a work in progress and new reseach can be updated regularly.

Changelog:

June 21: Updated "Dont Forget your base" coverage infromation

June 22: Updated ENTERNALSYNERGY CVE information - Thanks to Jerry Bryant for for pointing out the typo

June 29: Updated with additional Equation tool sets

Support Perspective: TheShadowBrokers and Equation Tools

Lost In Translation

Additional tools reported to be released by Equation

Dont Forget Your Base

Tags and Keywords

Related Entries and Links