The Russia-located Online security firm Kaspersky has revealed in a report today details of what it claims is “the world’s most sophisticated attack group”, (& perhaps the oldest, even) probably exploiting weakness in computer networks in operations dating back to 2001, & perhaps as way back as 1996.
Kasperksy has called it the “Equation Group”. In its comprehensive report revealed at the Security Analyst Summit, anannual global event, Kaspersky has talked of how this Group uses multiple malware platforms, some of which surpass in complexity & sophistication the well-known “Regin” threat, even. By the way, the name “Equation Group” was chosen by the well-known anti-virus solutions provider because of the former’s love for encryption algorithms & obfuscation strategies, & the sophisticated methods used.
(In general, the Equation Group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions & hashes.)
One technique in particular caught the attention of the secuity research team at Kaspersky. This was the 1st EQUATIONDRUG modules into the Regin nation-state APT operation.
“Somewhere in the Middle East, there is a computer we are calling the “The Magnet of Threats” because in addition to Regin, it was also infected by Turla, ItaDuke, Animal Farm and Careto/Mask. When we tried to analyze the Regin infection on this computer, we identified another module which did did not appear to be part of the Regin infection, nor any of the other APTs,” says Kasperksy in its report.
Further investigation into this module led Kaspersky to the discovery of several malware families starting with the EQUATIONDRUG platform. By looking for similarities using statistical analysis and correlation, and other methods, the other malware families were identified:
DOUBLEFANTASY, EQUATIONLASER, FANNY, GRAYFISH & TRIPLEFANTASY.
Mostly on Microsoft machines: There could be some ray of hope for those who do not use Microsoft. The investigation found that all the malware collected so far was designed to work on Microsoft’s Windows operating system. But there are signs that non-Windows malware does exist, says Kaspersky. For example, one of the sinkholed C&C domains is currently receiving
connections from a large pool of victims in China that appear to be Mac OS X computers.
The victims generally fall into the following categories:
• Governments and diplomatic institutions
• Telecommunication
• Aerospace
• Energy
• Nuclear research
• Oil and gas
• Military
• Nanotechnology
• Islamic activists and scholars
• Mass media
• Transportation
• Financial institutions
• Companies developing cryptographic technologies
Kaspersky has so far counted over 500 victims worldwide. A lot of infections have been observed on servers, often domain controllers, data warehouses, Website hosting and other types of servers. There could have been thousands more but the EQUATION Group had deployed a self-destruct mechanism in its exploits.
The victims of the Equation group were observed in over 30 countries, including Iran, Russia, Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, United States, Sudan, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh,South Africa, Philippines, United Kingdom, India & Brazil.
Kasperksy says although the implementation of this Group’s malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION Group’s attack technologies that exceeds anything it has ever seen before – that is is the ability to infect the hard drive firmware.
The report goes on to talk of the several malware platforms used exclusively by the Equation Group:
• EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded & unloaded by the attackers.
• DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.
• EQUESTRE – Same as EQUATIONDRUG.
• TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, & is possibly a more recent validator-style plugin.
• GRAYFISH – The most sophisticated attack platform from the EQUATION Group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
• FANNY – A computer worm created in 2008 & used to gather information about targets in the Middle East & Asia. Some victims appear to have been upgraded first to DoubleFantasy, & then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
• EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY & EQUATIONDRUG.
Image Credit: Kaspersky
Share This
