SlideShare a Scribd company logo

Equation Group : Advanced Secretive Computer Espionage Group

Download as PPTX, PDF
A
anupriti

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Technology
1 of 18
This presentation is based on a report by KASPERSKY by the name of the “ EQUATION GROUP: QUESTIONS AND ANSWERS”
What is Equation Group ? The Equation group is a highly sophisticated threat actor that has been engaged in multiple Computer Network Exploitation operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well- known “Regin” threat in complexity and sophistication.
Why called Equation Group ? In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. Called Equation group because of the love seen for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.
MalwareFamilyEquationGroup?
Exploits used Equation Group To keep a backdoor into a potentially interesting target’s computer The Equation group uses an implant known as DoubleFantasy (the internal Kaspersky Lab name) for the validation of their victims. The implant serves two purposes: To confirm if the victim is interesting; If so, the victim is upgraded to the EquationDrug or GrayFish platforms
What is Equation Drug? A victim doesn’t immediately get infected with EQUATIONDRUG. First, the attackers infect them with DOUBLEFANTASY, which is a validator-style plugin. If the victim is confirmed as interesting to the attackers, the EQUATIONDRUG installer is delivered. EQUATIONDRUG is one of the group’s most complex espionage platforms. The platform was developed between 2003 and 2013 and subsequently replaced by GrayFish.
What is GRAYFISH ? GRAYFISH is the most modern and sophisticated malware implant from the Equation group. It is designed to provide “invisible” persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.
An interesting observation: the first stage GRAYFISH loader computes the SHA-256 hash of the NTFS of system folder (%Windows% or %System%) Object_ID one thousand times. INTERESTING GRAYFISH !!! The result is used as an AES decryption key for the next stage. This is somewhat similar to Gauss, which computed the MD5 hash over the name of its target folder 10,000 times and used the result as the decryption key.
What exploits EQUATION GROUP use? Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09-025. (CVE unknown). TTF exploit fixed with MS12-034 (possibly CVE-2012-0159). TTF exploit fixed with MS13-081 (possibly CVE-2013-3894). LNK vulnerability as used by Stuxnet. (CVE-2010-2568). CVE-2013-3918 (Internet Explorer). CVE-2012-1723 (Java). CVE-2012-4681 (Java).
How Do Victims Get Infected By EQUATION Group Malware? Equation group uses Multiple Techniques include: Self-replicating (worm) code – Fanny Physical media, CD-ROMs USB sticks + exploits Web-based exploits
Most Sophisticated thing about the EQUATION group? Ability to Infect the Hard Drive Firmware. Two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms are seen in findings.
EQUATION group VICTIM MAP
Non-Windows Malware from the Equation group? “ All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. However, there are signs that non-Windows malware does exist. For instance, one of the sinkholed C&C domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).“
C&C Infrastructure : Equation Group All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information. Vast C&C infrastructure that includes more than 300 domains and more than 100 servers. Servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
Contact me : anupam605@gmail.com http://about.me/anupam.tiwari https://www.youtube.com/user/a nupam50/videos

Recommended

Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?
Simone Crete
 
Live Exploit - Chad Cravens
Live Exploit - Chad CravensLive Exploit - Chad Cravens
Live Exploit - Chad Cravens
IT-oLogy
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
Cysinfo Cyber Security Community
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
InsideView
 
Distribution Training
Distribution TrainingDistribution Training
Distribution Training
Zachary Howland
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016
Gianni Amato
 

Recommended

Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?
Simone Crete
 
Live Exploit - Chad Cravens
Live Exploit - Chad CravensLive Exploit - Chad Cravens
Live Exploit - Chad Cravens
IT-oLogy
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
Cysinfo Cyber Security Community
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
InsideView
 
Distribution Training
Distribution TrainingDistribution Training
Distribution Training
Zachary Howland
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016
Gianni Amato
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
Waqas Amir
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
BHack Conference
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
Amr Thabet
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & Greyfish
Leonardo Antichi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
Yury Chemerkin
 
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptAsert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Juan Bosoms
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja
 
JavaSecure
JavaSecureJavaSecure
JavaSecure
SangbeomKim
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
Condition Zebra (CONZebra)
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviroment
Iqra khalil
 
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESTALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
anupriti
 
Cyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itCyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand it
anupriti
 

More Related Content

Similar to Equation Group : Advanced Secretive Computer Espionage Group

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
Yury Chemerkin
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 

Similar to Equation Group : Advanced Secretive Computer Espionage Group (20)

Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & Greyfish
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptAsert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
JavaSecure
JavaSecureJavaSecure
JavaSecure
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviroment
 

More from anupriti

Coalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and ChallengesCoalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and Challenges
anupriti
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensics
anupriti
 
Harden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity NowHarden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity Now
anupriti
 

More from anupriti (20)

TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESTALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
 
Cyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itCyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand it
 
IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M... IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M...
 
Coalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and ChallengesCoalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and Challenges
 
Proof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE GeneralsProof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE Generals
 
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIMEBLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
 
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
 
BITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi ConferenceBITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi Conference
 
Hashgraph : An over view with example
Hashgraph : An over view with exampleHashgraph : An over view with example
Hashgraph : An over view with example
 
BITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCEBITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCE
 
Webinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALKWebinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALK
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensics
 
Blockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical OverviewBlockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical Overview
 
Quanity your Web Safety Score
Quanity your Web Safety ScoreQuanity your Web Safety Score
Quanity your Web Safety Score
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Harden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity NowHarden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity Now
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Regin
ReginRegin
Regin
 
Wirelurker
WirelurkerWirelurker
Wirelurker
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Equation Group : Advanced Secretive Computer Espionage Group

  • 1.
  • 2. This presentation is based on a report by KASPERSKY by the name of the “ EQUATION GROUP: QUESTIONS AND ANSWERS”
  • 3. What is Equation Group ? The Equation group is a highly sophisticated threat actor that has been engaged in multiple Computer Network Exploitation operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well- known “Regin” threat in complexity and sophistication.
  • 4. Why called Equation Group ? In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. Called Equation group because of the love seen for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.
  • 6. Exploits used Equation Group To keep a backdoor into a potentially interesting target’s computer The Equation group uses an implant known as DoubleFantasy (the internal Kaspersky Lab name) for the validation of their victims. The implant serves two purposes: To confirm if the victim is interesting; If so, the victim is upgraded to the EquationDrug or GrayFish platforms
  • 7. What is Equation Drug? A victim doesn’t immediately get infected with EQUATIONDRUG. First, the attackers infect them with DOUBLEFANTASY, which is a validator-style plugin. If the victim is confirmed as interesting to the attackers, the EQUATIONDRUG installer is delivered. EQUATIONDRUG is one of the group’s most complex espionage platforms. The platform was developed between 2003 and 2013 and subsequently replaced by GrayFish.
  • 8.
  • 9. What is GRAYFISH ? GRAYFISH is the most modern and sophisticated malware implant from the Equation group. It is designed to provide “invisible” persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.
  • 10.
  • 11. An interesting observation: the first stage GRAYFISH loader computes the SHA-256 hash of the NTFS of system folder (%Windows% or %System%) Object_ID one thousand times. INTERESTING GRAYFISH !!! The result is used as an AES decryption key for the next stage. This is somewhat similar to Gauss, which computed the MD5 hash over the name of its target folder 10,000 times and used the result as the decryption key.
  • 12. What exploits EQUATION GROUP use? Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09-025. (CVE unknown). TTF exploit fixed with MS12-034 (possibly CVE-2012-0159). TTF exploit fixed with MS13-081 (possibly CVE-2013-3894). LNK vulnerability as used by Stuxnet. (CVE-2010-2568). CVE-2013-3918 (Internet Explorer). CVE-2012-1723 (Java). CVE-2012-4681 (Java).
  • 13. How Do Victims Get Infected By EQUATION Group Malware? Equation group uses Multiple Techniques include: Self-replicating (worm) code – Fanny Physical media, CD-ROMs USB sticks + exploits Web-based exploits
  • 14. Most Sophisticated thing about the EQUATION group? Ability to Infect the Hard Drive Firmware. Two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms are seen in findings.
  • 16. Non-Windows Malware from the Equation group? “ All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. However, there are signs that non-Windows malware does exist. For instance, one of the sinkholed C&C domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).“
  • 17. C&C Infrastructure : Equation Group All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information. Vast C&C infrastructure that includes more than 300 domains and more than 100 servers. Servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.