2. “
The Equation Group is probably one of the
most sophisticated cyber attack groups in
the world; and they are the most
advanced threat actor we have seen.
- Kaspersky Lab
3. What is
THE EQUATION GROUP
◦ Highly sophisticated threat actor
◦ Only targets specific victims
◦ Multiple malware platforms
◦ High technical expertise and resources
◦ Create some of the most advanced threat
4. TOOLS AND MALWARE
Fanny
◦ Maps air-gapped
systems using USBs
and Stuxnet exploit
Triplefantasy
◦ Full-featured backdoor
◦ Targets validator
Equationdrug
◦ Modular plugin system
◦ Dynamically loaded by
the attackers
Grayfish
◦ Resides completely in
the HD registry
◦ Use a bootkit to gain
execution at OS startup
Data Access
◦ Knowledge of several
software and hardware
manufacturer designs
C & C Servers
◦ Issue commands to
malware, and collect
stolen data
◦ More than 400!
5. “
Equation Group are the ones with the
coolest toys, every now and then they
share them with the Stuxnet group and
the Flame group, but they are originally
available only to the Equation Group
people. They are definitely the masters,
giving the others bread crumbs.
- Costin Raiu (director of Kaspersky Lab's global
research and analysis team)
6. GRAYFISH
Flashes the firmware of HDs inserting
a ‘pill’
Hijack the boot sequence of the
operating system
Install a Virtual File System in the
registry of the hard drive
Malware execute codes and steals
information
7. GRAYFISH: THE ARCHITECTURE
BBSVC service
(polymorfic-loader)
Shellcode from
registry
Exploit for Elby
driver + loader (Kernel
mode)
Load platform kernel
mode for orchetrator
(fvexpy.sys)
Load user-mode part
from registry
(mpdkg32/64.dll)
Start payloads
(registry)
X1000 SHA-256
+ AES
Infected VBR
Encrypted container
file + Pill
9. WHY SO DANGEROUS?
“After infection, the computer is not run by itself anymore: it is GRAYFISH
that runs it step by step, making the necessary changes on the fly.”
-Kaspersky Lab
Invisible
Not possible to
be detected by
standard
antivirus
Persistent
Reinstalling
operating
system or
updating the
HD firmware
does nothing
Design
Equation group
got a hold of so
many major
designs
10. HOW TO DETECT GRAYFISH?
Very difficult:
• Malware is hidden in
service area of the HD
• Specific circumstances
can trigger GRAYFISH
self-destruction.
11. HOW CAN WE PREVENT IT?
Attempts to tamper the
firmware will fail verification
BUT: firmware was not
designed with security in mind
Manufactures must sign
firmware
16. DATA
Malicious PHP script injected into hacked discussion forums
MAIN TARGETS:
• Islamic Jihadist discussion forums
• advertisements on popular websites in the Middle East
NOT INFECT: 1. Jordan 2. Turkey 3. Egypt
17. GRAYFISH: HOW IT WORKS?
GrayFish Re-flashes
Hard Drive Firmware
Firmware contains
infected Virtual Boot
Record (VBR)
OS uses infected VBR
when it boots
Creates hidden Virtual
File System in HD
registry to store data
Installs malicious
modules on machine
Steals and stores data
Hidden Virtual File
System
User removes malicious
modules