Kaspersky Lab published a report in February on a set of malware utilized by a “sophisticated threat actor” code named the Equation Group.
The threat actor earned the name Equation Group based on its “love for encryption algorithms and obfuscation strategies” as well as the sophistication with which the malware itself operates. Kaspersky identified the following malware platforms as used exclusively by the Equation Group:
- EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.
- DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.
- EQUESTRE – Same as EQUATIONDRUG.
- TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.
- GRAYFISH – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
- FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
- EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.
The report provides several sections describing each of the malware platforms as well as high level operations of each of the platforms, exploits the malware platforms use, and methods of infection.
Kaspersky states the most “interesting” thing about the Equation Group’s malware platforms is their ability to infect the firmware of hard drives. As many as 12 hard drive “classes” including Western Digital, Samsung, Maxtor, Micron, Toshiba, and Seagate are vulnerable to the firmware infection capabilities of the Equation Group's malware platforms.
According to the report, the highest infection rate are in Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali. Malware was detected on hosts in the Financial, Infrastructure, Medical, Research, Aerospace, and Government sectors.
To see the full Kaspersky Report, click this link.