In 2015, Kasperky published an analysis of the EquationDrug platform — Yesterday, ShadowBrokers reappeared and published files related of the EquationDrug implants before claiming they would disappear again.
Yesterday, I published a series of twitts to provide a quick analysis of the content of the archive which I managed to download before the website got shutdown (which looks to be back online today). Some were particularly interesting as they were credentials related.
Signed with 0xCB5C0C1B on 2nd September 2016
Globally, the files are mainly modules — there are a total of 61 files in the ShadowBrokers’ archive. After a look at the 2015 Kaspersky report we can already picture how they interact with each other. The architecture is a plugin-based architecture that includes interaction with kernel mode components.
Most of modules have :
- Compilation Timestamp stripped off. This means we can’t retrieve when the files have been compiled.
- RSDS (debug section) stripped off. This means we can’t retrieve the full path generated by the compiler.
- They are compiled against MSVCR71.dll which is a Microsoft Visual C++ 2003 run time library. (OLD)
- There is one unsigned 64-bits driver, presence of MSVCR71.dll leads to think that the targets were old Windows O.S. such as Windows XP/2003 and older. (NT 5 and below)
Kaspersky itself describe the EquationDrug as a group having activities in the late 90s and early 2000s. > EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996.> EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to new victims.
“GetDbgMessage()” in ProcessHide_Lp.dll — Overview
Although, the RSDS debug section had been stripped off. There are still TONS of debugging messages in the plugins, this function has to be my favorite — you can retrieve it in several modules. It contains a representation of hundreds of error messages. Who needs PDB files when you have debug messages ? It’s shocking to know that alleged NSA developers wrote a rootkit with so much debug information in it, it almost look like this is a prototype version which still had the _DEBUG flag on during compilation of the rootkit modules. Either that, or the developers were very simple minded back then as it can be seen in the GIF below.
ProcessHide_Lp.dll — GetDbgMessage()
The Insider Theory
In addition to the fact that Windows files and Unix tools would have no reason to be on the same staged server. The following snippet is a very strong argument supporting my insider theory from last summer.
One of the file (_equation_drughashes.txt) accompanied with the archived contains the hashes and full file paths reinforcing that the files come from their original sources rather than a staged server due to the file hierarchy and naming convention of those folder names.
> The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from it source. (…)There are no reasons for them to be on a staging server, as they would not serve any purpose.
> - Matt Suiche — 17, Aug, 2016
Also DSZOPSDISK is a **** root folder name that had been identified in EXTRABACON in the leak which happened this summer. Previously, in a Windows-like path syntax “ D:\DSZOPSDisk\logs” and currently as a Unix-like path syntax “DSZOPSDISK/Resources/…”.
This would mean ShadowBrokers handpicked the files to create the final archive in a flat hierarchy from those different folders. Probably to only give a sample of the EquationDrug files they have in possession.
Although, as we have seen in the previous section, the fact those files are really old (10+years) supposes that the insider only has old dirt on the NSA and probably left many many years ago.
Although, those files seem very old (10+ years old) most of them have poor detection rate as we can see below on VirusTotal — Only Kaspersky is able to identify those files as HEUR:Trojan.Win32.EquationDrug.gen.
Generating your own IOCs with PowerShell
Due to the poor detection rate by anti-virus as we just saw, you will need IOCs to verify if your Windows 2000, XP systems are still infected.
Here is a quick scripts that will allow you to generate your own IOCs.
This way you can generate your own IOCs, here are the list of IOCs for the ShadowBrokers’s EquationDrug files released yesterday.
IOCs for January 12, 2017 ShadowBrokers’ files
PowerShell can also allow you to export them as a CSV files if required.
PS: If you are a security researcher, there are two weeks left for OPCDE_ Inaugural Edition in Dubai (26–27 April 2017) ! More information on www.opcde.com !