Equation Group: QA by Kaspersky Lyrics
1. What is the Equation group?
The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.
2. Why do you call them the “Equation” group?
We call this threat actor the Equation group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations. In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim’s Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID.
3. What attack tools and malware does the Equation group use?
So far, we’ve identified several malware platforms used exclusively by the Equation
group.
They are:
• EQUATIONDRUG
– A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.
• DOUBLEFANTASY
– A validator-style Trojan, designed to confirm the target
is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.
• EQUESTRE
– Same as EQUATIONDRUG
.
• TRIPLEFANTASY
– Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.
• GRAYFISH
– The most sophisticated attack platform from the EQUATION
group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
• FANNY
– A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
• EQUATIONLASER
– An early implant from the EQUATION group, used around
2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG
(source : http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf)
The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.
2. Why do you call them the “Equation” group?
We call this threat actor the Equation group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations. In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim’s Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID.
3. What attack tools and malware does the Equation group use?
So far, we’ve identified several malware platforms used exclusively by the Equation
group.
They are:
• EQUATIONDRUG
– A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.
• DOUBLEFANTASY
– A validator-style Trojan, designed to confirm the target
is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.
• EQUESTRE
– Same as EQUATIONDRUG
.
• TRIPLEFANTASY
– Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.
• GRAYFISH
– The most sophisticated attack platform from the EQUATION
group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
• FANNY
– A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
• EQUATIONLASER
– An early implant from the EQUATION group, used around
2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG
(source : http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf)