SlideShare a Scribd company logo

The Advanced Equation Group's Grayfish Malware

L
Leonardo Antichi

A brief explanation on the Equation Group and one of their malware: GRAYFISH

Technology
1 of 18
Download to read offline
THE EQUATION GROUP - GRAYFISH
“ The Equation Group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen. - Kaspersky Lab
What is THE EQUATION GROUP ◦ Highly sophisticated threat actor ◦ Only targets specific victims ◦ Multiple malware platforms ◦ High technical expertise and resources ◦ Create some of the most advanced threat
TOOLS AND MALWARE Fanny ◦ Maps air-gapped systems using USBs and Stuxnet exploit Triplefantasy ◦ Full-featured backdoor ◦ Targets validator Equationdrug ◦ Modular plugin system ◦ Dynamically loaded by the attackers Grayfish ◦ Resides completely in the HD registry ◦ Use a bootkit to gain execution at OS startup Data Access ◦ Knowledge of several software and hardware manufacturer designs C & C Servers ◦ Issue commands to malware, and collect stolen data ◦ More than 400!
“ Equation Group are the ones with the coolest toys, every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. They are definitely the masters, giving the others bread crumbs. - Costin Raiu (director of Kaspersky Lab's global research and analysis team)
GRAYFISH  Flashes the firmware of HDs inserting a ‘pill’  Hijack the boot sequence of the operating system  Install a Virtual File System in the registry of the hard drive  Malware execute codes and steals information
GRAYFISH: THE ARCHITECTURE BBSVC service (polymorfic-loader) Shellcode from registry Exploit for Elby driver + loader (Kernel mode) Load platform kernel mode for orchetrator (fvexpy.sys) Load user-mode part from registry (mpdkg32/64.dll) Start payloads (registry) X1000 SHA-256 + AES Infected VBR Encrypted container file + Pill
Non Air Gapped Attack Vectors: • Cookie spoofing • Spear phishing • CSRF • XSS • Java exploits ATTACK STRATEGIES Air Gapped Attack Vectors: • Physical supports • Stuxnet hack • Fanny INITIAL EXPLOIT • Escalation of privilege to install TrypleFantasy INFECTION TRIPLEFANTASY • Validate victims, confirm interest UPGRADE GRAYFISH • Full-featured espionage platform
WHY SO DANGEROUS? “After infection, the computer is not run by itself anymore: it is GRAYFISH that runs it step by step, making the necessary changes on the fly.” -Kaspersky Lab Invisible Not possible to be detected by standard antivirus Persistent Reinstalling operating system or updating the HD firmware does nothing Design Equation group got a hold of so many major designs
HOW TO DETECT GRAYFISH? Very difficult: • Malware is hidden in service area of the HD • Specific circumstances can trigger GRAYFISH self-destruction.
HOW CAN WE PREVENT IT? Attempts to tamper the firmware will fail verification BUT: firmware was not designed with security in mind Manufactures must sign firmware
Thanks! ANY QUESTIONS? You can find me at antichi.leonardo@gmail.com
REFERENCES ● https://securelist.com/files/2015/02/Equation_group_questions _and_answers.pdf ● https://securelist.com/a-fanny-equation-i-am-your-father- stuxnet/68787/ ● http://rt.com/usa/239933-equation-group-nsa-links-backsnarf/ ● http://www.wired.com/2015/02/nsa-firmware-hacking/ ● https://www.schneier.com/blog/archives/2015/02/the_equation _gr.html ● http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation _group/ ● http://www.wired.com/2015/02/kapersky-discovers-equation- group/ ● https://leaksource.files.wordpress.com/2013/12/nsa-ant- iratemonk.jpg ● https://arstechnica.com/information-technology/2015/02/how- omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found- at-last/ ● https://www.fedscoop.com/the-kaspersky-equation/ ● https://www.kaspersky.com/about/press-releases/2015_equation- group-the-crown-creator-of-cyber-espionage ● https://www.pcworld.com/article/2884952/equation-cyberspies-use- unrivaled-nsastyle-techniques-to-hit-iran-russia.html
DATA DEEPENING Additional information Q&A
0 5 10 15 20 25 30 35 40 45 50 Monday Tuesday Wednesday Thursday Friday Saturday Sunday Equation Group Activity (Samples Count) DATA
DATA Malicious PHP script injected into hacked discussion forums MAIN TARGETS: • Islamic Jihadist discussion forums • advertisements on popular websites in the Middle East NOT INFECT: 1. Jordan 2. Turkey 3. Egypt
GRAYFISH: HOW IT WORKS? GrayFish Re-flashes Hard Drive Firmware Firmware contains infected Virtual Boot Record (VBR) OS uses infected VBR when it boots Creates hidden Virtual File System in HD registry to store data Installs malicious modules on machine Steals and stores data Hidden Virtual File System User removes malicious modules
GRAYFISH Boot steps

Recommended

Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Database Anti Patterns
Database Anti PatternsDatabase Anti Patterns
Database Anti PatternsRobert Treat
 
.NET 7 家族新成員: Microsoft Orleans v7
.NET 7 家族新成員: Microsoft Orleans v7.NET 7 家族新成員: Microsoft Orleans v7
.NET 7 家族新成員: Microsoft Orleans v7twMVC
 
APEX Connect 2019 - SQL Tuning 101
APEX Connect 2019 - SQL Tuning 101APEX Connect 2019 - SQL Tuning 101
APEX Connect 2019 - SQL Tuning 101Connor McDonald
 
The Amazing and Elegant PL/SQL Function Result Cache
The Amazing and Elegant PL/SQL Function Result CacheThe Amazing and Elegant PL/SQL Function Result Cache
The Amazing and Elegant PL/SQL Function Result CacheSteven Feuerstein
 
New availability features in oracle rac 12c release 2 anair ss
New availability features in oracle rac 12c release 2 anair ssNew availability features in oracle rac 12c release 2 anair ss
New availability features in oracle rac 12c release 2 anair ssAnil Nair
 
[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험NHN FORWARD
 
EventBridge Patterns and real world use case
EventBridge Patterns and real world use caseEventBridge Patterns and real world use case
EventBridge Patterns and real world use caseJimmy Dahlqvist
 

Recommended

Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Database Anti Patterns
Database Anti PatternsDatabase Anti Patterns
Database Anti PatternsRobert Treat
 
.NET 7 家族新成員: Microsoft Orleans v7
.NET 7 家族新成員: Microsoft Orleans v7.NET 7 家族新成員: Microsoft Orleans v7
.NET 7 家族新成員: Microsoft Orleans v7twMVC
 
APEX Connect 2019 - SQL Tuning 101
APEX Connect 2019 - SQL Tuning 101APEX Connect 2019 - SQL Tuning 101
APEX Connect 2019 - SQL Tuning 101Connor McDonald
 
The Amazing and Elegant PL/SQL Function Result Cache
The Amazing and Elegant PL/SQL Function Result CacheThe Amazing and Elegant PL/SQL Function Result Cache
The Amazing and Elegant PL/SQL Function Result CacheSteven Feuerstein
 
New availability features in oracle rac 12c release 2 anair ss
New availability features in oracle rac 12c release 2 anair ssNew availability features in oracle rac 12c release 2 anair ss
New availability features in oracle rac 12c release 2 anair ssAnil Nair
 
[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험NHN FORWARD
 
EventBridge Patterns and real world use case
EventBridge Patterns and real world use caseEventBridge Patterns and real world use case
EventBridge Patterns and real world use caseJimmy Dahlqvist
 
Community Openstack 구축 사례
Community Openstack 구축 사례Community Openstack 구축 사례
Community Openstack 구축 사례Open Source Consulting
 
Test link jira soap integration
Test link jira soap integrationTest link jira soap integration
Test link jira soap integrationErol Selitektay
 
EMALS
EMALSEMALS
EMALSShubham Chaurasia
 
Kotlin Coroutines - the new async
Kotlin Coroutines - the new asyncKotlin Coroutines - the new async
Kotlin Coroutines - the new asyncBartłomiej Osmałek
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.Grafana Labs
 
Stress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircraftStress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircrafteSAT Journals
 
Well_test__1672232120.pdf
Well_test__1672232120.pdfWell_test__1672232120.pdf
Well_test__1672232120.pdfEngRSMY2
 
Embedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzEmbedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzJuraj Michálek
 
Presentation v mware v-cloud director
Presentation v mware v-cloud directorPresentation v mware v-cloud director
Presentation v mware v-cloud directorsolarisyourep
 
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...Roman Tušek
 
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성OpenStack Korea Community
 
Permebility and Porosity
Permebility and PorosityPermebility and Porosity
Permebility and PorosityShaoor Kamal
 
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse SupportOracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse Supportnkarag
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
Oracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasOracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasKyle Hailey
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
Bitacoras de control y falla
Bitacoras de control y fallaBitacoras de control y falla
Bitacoras de control y fallamaria del carmen galvan arizmendi
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesAmazon Web Services
 
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트OpenStack Korea Community
 
Three.js basics
Three.js basicsThree.js basics
Three.js basicsVasilika Klimova
 
Equation group and gray fish
Equation group and gray fishEquation group and gray fish
Equation group and gray fishDhanashreePaste
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 

More Related Content

What's hot

Test link jira soap integration
Test link jira soap integrationTest link jira soap integration
Test link jira soap integrationErol Selitektay
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.Grafana Labs
 
Stress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircraftStress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircrafteSAT Journals
 
Well_test__1672232120.pdf
Well_test__1672232120.pdfWell_test__1672232120.pdf
Well_test__1672232120.pdfEngRSMY2
 
Embedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzEmbedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzJuraj Michálek
 
Presentation v mware v-cloud director
Presentation v mware v-cloud directorPresentation v mware v-cloud director
Presentation v mware v-cloud directorsolarisyourep
 
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...Roman Tušek
 
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성OpenStack Korea Community
 
Permebility and Porosity
Permebility and PorosityPermebility and Porosity
Permebility and PorosityShaoor Kamal
 
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse SupportOracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse Supportnkarag
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
Oracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasOracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasKyle Hailey
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트OpenStack Korea Community
 

What's hot (20)

Community Openstack 구축 사례
Community Openstack 구축 사례Community Openstack 구축 사례
Community Openstack 구축 사례
 
Test link jira soap integration
Test link jira soap integrationTest link jira soap integration
Test link jira soap integration
 
EMALS
EMALSEMALS
EMALS
 
Kotlin Coroutines - the new async
Kotlin Coroutines - the new asyncKotlin Coroutines - the new async
Kotlin Coroutines - the new async
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.
 
Stress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircraftStress and fatigue analysis of landing gear axle of a trainer aircraft
Stress and fatigue analysis of landing gear axle of a trainer aircraft
 
Well_test__1672232120.pdf
Well_test__1672232120.pdfWell_test__1672232120.pdf
Well_test__1672232120.pdf
 
Embedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzEmbedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust Linz
 
Presentation v mware v-cloud director
Presentation v mware v-cloud directorPresentation v mware v-cloud director
Presentation v mware v-cloud director
 
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
Procjena sigurnosti računalnih mreža korištenjem fuzzy analitičkog hijerarhij...
 
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
[OpenInfra Days Korea 2018] (Track 4) - FreeIPA와 함께 SSO 구성
 
Permebility and Porosity
Permebility and PorosityPermebility and Porosity
Permebility and Porosity
 
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse SupportOracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
 
Oracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasOracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aas
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
Bitacoras de control y falla
Bitacoras de control y fallaBitacoras de control y falla
Bitacoras de control y falla
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
[OpenStack Days Korea 2016] Track3 - 오픈스택 환경에서 공유 파일 시스템 구현하기: 마닐라(Manila) 프로젝트
 
Three.js basics
Three.js basicsThree.js basics
Three.js basics
 

Similar to The Advanced Equation Group's Grayfish Malware

Equation group and gray fish
Equation group and gray fishEquation group and gray fish
Equation group and gray fishDhanashreePaste
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedKavin K
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar henelpj
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Proofing against malware
Proofing against malwareProofing against malware
Proofing against malwareSensePost
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prezStudio Sheen
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 

Similar to The Advanced Equation Group's Grayfish Malware (20)

Equation group and gray fish
Equation group and gray fishEquation group and gray fish
Equation group and gray fish
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Proofing against malware
Proofing against malwareProofing against malware
Proofing against malware
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prez
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 

More from Leonardo Antichi

AES Implementation on FPGA
AES Implementation on FPGAAES Implementation on FPGA
AES Implementation on FPGALeonardo Antichi
 
Short Brocade Presentation
Short Brocade PresentationShort Brocade Presentation
Short Brocade PresentationLeonardo Antichi
 

More from Leonardo Antichi (6)

AES Implementation on FPGA
AES Implementation on FPGAAES Implementation on FPGA
AES Implementation on FPGA
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner Infection
 
Short Brocade Presentation
Short Brocade PresentationShort Brocade Presentation
Short Brocade Presentation
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
Forcepoint Overview
Forcepoint OverviewForcepoint Overview
Forcepoint Overview
 
Behavioral biometrics
Behavioral biometricsBehavioral biometrics
Behavioral biometrics
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

The Advanced Equation Group's Grayfish Malware

  • 2. “ The Equation Group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen. - Kaspersky Lab
  • 3. What is THE EQUATION GROUP ◦ Highly sophisticated threat actor ◦ Only targets specific victims ◦ Multiple malware platforms ◦ High technical expertise and resources ◦ Create some of the most advanced threat
  • 4. TOOLS AND MALWARE Fanny ◦ Maps air-gapped systems using USBs and Stuxnet exploit Triplefantasy ◦ Full-featured backdoor ◦ Targets validator Equationdrug ◦ Modular plugin system ◦ Dynamically loaded by the attackers Grayfish ◦ Resides completely in the HD registry ◦ Use a bootkit to gain execution at OS startup Data Access ◦ Knowledge of several software and hardware manufacturer designs C & C Servers ◦ Issue commands to malware, and collect stolen data ◦ More than 400!
  • 5. “ Equation Group are the ones with the coolest toys, every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. They are definitely the masters, giving the others bread crumbs. - Costin Raiu (director of Kaspersky Lab's global research and analysis team)
  • 6. GRAYFISH  Flashes the firmware of HDs inserting a ‘pill’  Hijack the boot sequence of the operating system  Install a Virtual File System in the registry of the hard drive  Malware execute codes and steals information
  • 7. GRAYFISH: THE ARCHITECTURE BBSVC service (polymorfic-loader) Shellcode from registry Exploit for Elby driver + loader (Kernel mode) Load platform kernel mode for orchetrator (fvexpy.sys) Load user-mode part from registry (mpdkg32/64.dll) Start payloads (registry) X1000 SHA-256 + AES Infected VBR Encrypted container file + Pill
  • 8. Non Air Gapped Attack Vectors: • Cookie spoofing • Spear phishing • CSRF • XSS • Java exploits ATTACK STRATEGIES Air Gapped Attack Vectors: • Physical supports • Stuxnet hack • Fanny INITIAL EXPLOIT • Escalation of privilege to install TrypleFantasy INFECTION TRIPLEFANTASY • Validate victims, confirm interest UPGRADE GRAYFISH • Full-featured espionage platform
  • 9. WHY SO DANGEROUS? “After infection, the computer is not run by itself anymore: it is GRAYFISH that runs it step by step, making the necessary changes on the fly.” -Kaspersky Lab Invisible Not possible to be detected by standard antivirus Persistent Reinstalling operating system or updating the HD firmware does nothing Design Equation group got a hold of so many major designs
  • 10. HOW TO DETECT GRAYFISH? Very difficult: • Malware is hidden in service area of the HD • Specific circumstances can trigger GRAYFISH self-destruction.
  • 11. HOW CAN WE PREVENT IT? Attempts to tamper the firmware will fail verification BUT: firmware was not designed with security in mind Manufactures must sign firmware
  • 12. Thanks! ANY QUESTIONS? You can find me at antichi.leonardo@gmail.com
  • 13. REFERENCES ● https://securelist.com/files/2015/02/Equation_group_questions _and_answers.pdf ● https://securelist.com/a-fanny-equation-i-am-your-father- stuxnet/68787/ ● http://rt.com/usa/239933-equation-group-nsa-links-backsnarf/ ● http://www.wired.com/2015/02/nsa-firmware-hacking/ ● https://www.schneier.com/blog/archives/2015/02/the_equation _gr.html ● http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation _group/ ● http://www.wired.com/2015/02/kapersky-discovers-equation- group/ ● https://leaksource.files.wordpress.com/2013/12/nsa-ant- iratemonk.jpg ● https://arstechnica.com/information-technology/2015/02/how- omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found- at-last/ ● https://www.fedscoop.com/the-kaspersky-equation/ ● https://www.kaspersky.com/about/press-releases/2015_equation- group-the-crown-creator-of-cyber-espionage ● https://www.pcworld.com/article/2884952/equation-cyberspies-use- unrivaled-nsastyle-techniques-to-hit-iran-russia.html
  • 15. 0 5 10 15 20 25 30 35 40 45 50 Monday Tuesday Wednesday Thursday Friday Saturday Sunday Equation Group Activity (Samples Count) DATA
  • 16. DATA Malicious PHP script injected into hacked discussion forums MAIN TARGETS: • Islamic Jihadist discussion forums • advertisements on popular websites in the Middle East NOT INFECT: 1. Jordan 2. Turkey 3. Egypt
  • 17. GRAYFISH: HOW IT WORKS? GrayFish Re-flashes Hard Drive Firmware Firmware contains infected Virtual Boot Record (VBR) OS uses infected VBR when it boots Creates hidden Virtual File System in HD registry to store data Installs malicious modules on machine Steals and stores data Hidden Virtual File System User removes malicious modules