Advanced Threat Protection

 View Only

Support Perspective: TheShadowBrokers and Equation Tools 

Jun 20, 2017 10:11 AM

In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps. 

Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.

Lost In Translation

On April 14, 2017 TheShadowBrokers released a collection of files, containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products and then deployed additional patches for some of their older OS'es in their June Security updates.

You can see our coverage for the toolset, as well as the older vulns below.
For a full list of our coverage for Microsoft Vulns, please see:  Symantec product detections for Microsoft monthly Security Bulletins

Exploit Name CVE Targeted Service Ref IPS Signature Name AV Signature Name AV Signature Date
ETERNALROMANCE-1.3.0 CVE-2017-0144 Microsoft Windows SMBv1 Service   Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144)
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
Hacktool 20170414.02
ETERNALROMANCE-1.4.0 CVE-2017-0145 Microsoft Windows SMBv1 Service   Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
Hacktool 20170414.02
ENTERNALSYNERGY CVE-2017-0143 Microsoft Windows SMBv1 Service MS17-010 Sig ID: 30018 OS Attack: MSRPC Remote Management Interface Bind Hacktool 20170414.02
  CVE-2017-0144 Microsoft Windows SMBv1 Service MS17-010 Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144)
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
   
  CVE-2017-0145 Microsoft Windows SMBv1 Service MS17-010 Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
   
  CVE-2017-0146 CVE-2017-0147   MS17-010 Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2)
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
   
  CVE-2017-0148   MS17-010 Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
   
ETERNALBLUE CVE-2017-0143  Microsoft Windows SMBv1 Service   Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity) 
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
Hacktool 20170414.02
ETERNALCHAMPION CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
Microsoft Windows SMBv1 Service   Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2)
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9) 
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)
Hacktool 20170414.02
ECLIPSEDWING CVE-2008-4250 Micorosft Windows Server Service MS08-067 Sig ID: 23179 (OS Attack: MSRPC Server Service RPC CVE-2008-4250)
Sig ID: 23180 (OS Attack: MSRPC Server Service RPC CVE-2008-4250 2)
Hacktool 20170414.02
EDUCATEDSCHOLAR CVE-2009-2526
CVE-2009-2532
CVE-2009-3103
Microsoft Windows SMBv2 Service MS09-050 Sig ID: 23497 (OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103) Hacktool 20170414.02
 
EMERALDTHREAD CVE-2010-2729 Microsoft Windows Print Service MS10-061 Sig ID: 23897  (Attack: Windows Spooler Service CVE-2010-2729) Hacktool 20170414.02
ESKIMOROLL CVE-2014-6324 Microsoft Windows Kerberos KDC MS14-068 No Signature Available Hacktool 20170414.02
EASYBEE CVE-2007-1675 Mdaemon   Sig ID: 30015 (Attack: MDaemon WorldClient Attack) Hacktool 20170414.02
ENGLISHMANDENTIST CVE-2009-0099 Microsoft Outlook Exchange Web Access   Sig ID: 30014 (Attack: MS Exchange Server RCE) Hacktool 20170414.02
EXPLODINGCAN CVE-2017-7269  Microsoft Windows
Server WebDav
Service 
  Sig ID: 29071  (Web Attack: IIS Server CVE-2017-7269) Hacktool 20170414.02
EMPHASISMINE-3.4.0 CVE-2017-1274  IBM Domino   No Signature Available Hacktool 20170414.02
EWOKFRENZY-2.0.0 CVE-2007-1675  IBM Domino   Sig ID: 21710 HTTP MDaemon IMAP Server Auth BO (DCS Only - not available in SEP) Hacktool 20170414.02

 

 Additional tools reported to be released by Equation

Exploit Name CVE IPS Signature Name AV Signature Name AV Signature Date
EARLYSHOVEL CVE-2003-0694
CVE-2003-0681
Sig ID: 24208 Attack: Sendmail Denial Of Service CVE-2003-0694 Linux.Valsheesy  
EXTRABACON CVE-2016-6366 Sig ID: 29822 Attack: Cisco Adaptive Security Appliance Buffer Overflow    
EPICBANANA/JETPLOW CVE-2016-6367 No Signature Available/Possible    
BENIGNCERTAIN  CVE-2016-6415  Sig ID: 29654 Attack: Cisco IKE CVE-2016-6415 (not available in SEP only ATP) Hacktool.Equation  
EBBISLAND
ELVISCICADA 
CVE-2001-0236 Sig ID: 20085 SNMP SnmpXdmid BO (not available in SEP only DCS) Hacktool 20170412.032
EBBSHAVE
EBBISLAND
CVE-2017-3623  No Signature Available/Possible Hacktool 20170412.032
EXTREMEPARR CVE-2017-3622  No Signature Available/Possible    
ECHOWRECKER CVE-2003-0201  Sig ID: 23160 Attack: Shellcode Download Activity 2 Hacktool  
EVFR CVE-2003-0109  No Signature Available/Possible Trojan.Gen.2 20170415.022
EGREGIOUSBLUNDER CVE-2016-6909  No Signature Available/Possible Hacktool.Equation  
ELV CVE-2006-3439  Sig ID: 21702 OS Attack: MS Windows Server Service NetAPI CVE-2006-3439 Trojan.Gen.2  20170414.016
ESCALATEPLOWMAN CVE-2016-7089 No Signature Available/Possible    
ESKE CVE-2003-0352  Sig ID: 20386 OS Attack: MS RPCSS Attack CVE-2004-0116 2 Hacktool 20170416.008
ELEGANTEAGLE
TOFFEEHAMMER 
CVE-2017-5613  No Signature Available/Possible Trojan.Malscript and Linux.Trojan.  20170410.021
CATFLAP CVE-2001-0797
CVE-2002-1689
Sig ID: 20037 Remote BinLogin BO 1
Sig ID: 20038 Remote BinLogin BO 2
Hacktool 20170413.004
EE CVE-2011-4130  No Signature Available/Possible    
wuftpd CVE-2001-0550 Sig ID: 20004 WuFTPd Heap BO    
ESMARKCONANT CVE-2004-1315 Sig ID: 20752 Web Attack: PHPBB URL Decode SQL Injection    
ERRGENTLE CVE-2001-0690 No Signature Available/Possible    
Telex CVE-1999-0192 No Signature Available/Possible Hacktool 20170421.006
  PTRACE FORKPTY km3  CVE-2003-0127 No Signature Available/Possible    

 

 

 

Dont Forget Your Base

On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.

All coverage information is based on available virus definitions from June 20, 2017

Tools
AV coverage
CHARMHAMMER  Hacktool.Equation
CHARMPENGUIN Hacktool.Equation
CHARMRAZOR Hacktool.Equation
CONSTANTMOVE Not Malicious
CRYPTTOOL Not Malicious
CURSEBINGO Hacktool.Equation
CURSEBONGO Hacktool.Equation
CURSECHICKEN Hacktool.Equation
CURSECLASH Hacktool.Equation
CURSEDEVO Hacktool.Equation
CURSEFIRE Hacktool.Equation
CURSEFLOWER Hacktool.Equation
CURSEGISMO Hacktool.Equation
CURSEHAPPY Hacktool.Equation
CURSEHELPER Hacktool.Equation
CURSEHOLE Hacktool.Equation
CURSEHUMMER Hacktool.Equation
CURSEHYDRANT Hacktool.Equation
CURSEJOKER Hacktool.Equation
CURSEKETTLE Hacktool.Equation
CURSEKILN Hacktool.Equation
CURSELION Hacktool.Equation
CURSEMAGIC Hacktool.Equation
CURSENAG Hacktool.Equation
CURSEQUAKE Hacktool.Equation
CURSERAZOR Hacktool.Equation
CURSEROOT Hacktool.Equation
CURSESALSA Hacktool.Equation
CURSESLEEPY Hacktool
CURSETAILS Hacktool.Equation
CURSETINGLE Hacktool.Equation
CURSEWHAM Hacktool.Equation
CURSEYO Backdoor.Equation
CURSEZINGER Hacktool.Equation
DAIRYFARM Not Malicious
DEWDROP Hacktool.Equation
DITTOCLASS Not Malicious
DRAFTBAGGER Not Malicious
DUBMOAT Hacktool
EARLYSHOVEL Linux.Valsheesy
EBBISLAND Hacktool
EBBSSHAVE Hacktool
ECHODOLPHIN Not Malicious
EGGBARON Not Malicious
ELATEDMONKEY Trojan.Malscript
ELECTRICSLIDE Trojan.Malscript
​Linux.Trojan
ELEGANTEAGLE Trojan.Malscript
Linux.Trojan
ELGINGAMBLE Hacktool
ELIDESKEW Not malicious
ENDLESSDONUT Hacktool
ENEMYRUN Hacktool
ENGLANDBOGY Not malicious
ENSA Not malicious
ENTERSEED Hacktool
ENTRYMANOR Not malicious
ENVISIONCOLLISION Trojan.Malscript
EPICHERO Linux.Cheepori
EXCELBERWICK Not malicious
EXPITATEZEKE Not malicious
EXTREMEPARR Not malicious
JACKPOP Trojan.Malscript
MAGICJACK Linux.Magicjack
MYSTICTUNNELS Hacktool
ORLEANSTRIDE Hacktoo.Equation
POPTOP Not malicious
PORK Hacktool
SECONDDATE Hacktool
SHENTYSDELIGHT Hacktool
SICKLESTAR Not malicious
SKIMCOUNTRY Hacktool.Equation
SLYHERETIC Hacktool.Equation
STOICSURGEON Hacktool.Equation
STRIFEWORLD Hacktool.Equation
SUAVEEYFUL Hacktool
SUCTIONCHAR Hacktool.Equation
VIOLETSPIRIT Under Investigation
WATCHER Hacktool.Equation
YELLOWSPIRIT Not Malicious

 

Please note that this is a work in progress and new reseach can be updated regularly.

 

Changelog:

June 21: Updated "Dont Forget your base" coverage infromation 

June 22: Updated ENTERNALSYNERGY CVE information  - Thanks to Jerry Bryant for for pointing out the typo

June 29: Updated with additional Equation tool sets

 

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.