Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Equation Group : Advanced Secretive Computer Espionage Group

2,074 views

Published on

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Published in: Technology
  • Writing a good research paper isn't easy and it's the fruit of hard work. For help you can check writing expert. Check out, please ⇒ www.HelpWriting.net ⇐ I think they are the best
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THI5 BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Equation Group : Advanced Secretive Computer Espionage Group

  1. 1. This presentation is based on a report by KASPERSKY by the name of the “ EQUATION GROUP: QUESTIONS AND ANSWERS”
  2. 2. What is Equation Group ? The Equation group is a highly sophisticated threat actor that has been engaged in multiple Computer Network Exploitation operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well- known “Regin” threat in complexity and sophistication.
  3. 3. Why called Equation Group ? In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. Called Equation group because of the love seen for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.
  4. 4. MalwareFamilyEquationGroup?
  5. 5. Exploits used Equation Group To keep a backdoor into a potentially interesting target’s computer The Equation group uses an implant known as DoubleFantasy (the internal Kaspersky Lab name) for the validation of their victims. The implant serves two purposes: To confirm if the victim is interesting; If so, the victim is upgraded to the EquationDrug or GrayFish platforms
  6. 6. What is Equation Drug? A victim doesn’t immediately get infected with EQUATIONDRUG. First, the attackers infect them with DOUBLEFANTASY, which is a validator-style plugin. If the victim is confirmed as interesting to the attackers, the EQUATIONDRUG installer is delivered. EQUATIONDRUG is one of the group’s most complex espionage platforms. The platform was developed between 2003 and 2013 and subsequently replaced by GrayFish.
  7. 7. What is GRAYFISH ? GRAYFISH is the most modern and sophisticated malware implant from the Equation group. It is designed to provide “invisible” persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.
  8. 8. An interesting observation: the first stage GRAYFISH loader computes the SHA-256 hash of the NTFS of system folder (%Windows% or %System%) Object_ID one thousand times. INTERESTING GRAYFISH !!! The result is used as an AES decryption key for the next stage. This is somewhat similar to Gauss, which computed the MD5 hash over the name of its target folder 10,000 times and used the result as the decryption key.
  9. 9. What exploits EQUATION GROUP use? Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09-025. (CVE unknown). TTF exploit fixed with MS12-034 (possibly CVE-2012-0159). TTF exploit fixed with MS13-081 (possibly CVE-2013-3894). LNK vulnerability as used by Stuxnet. (CVE-2010-2568). CVE-2013-3918 (Internet Explorer). CVE-2012-1723 (Java). CVE-2012-4681 (Java).
  10. 10. How Do Victims Get Infected By EQUATION Group Malware? Equation group uses Multiple Techniques include: Self-replicating (worm) code – Fanny Physical media, CD-ROMs USB sticks + exploits Web-based exploits
  11. 11. Most Sophisticated thing about the EQUATION group? Ability to Infect the Hard Drive Firmware. Two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms are seen in findings.
  12. 12. EQUATION group VICTIM MAP
  13. 13. Non-Windows Malware from the Equation group? “ All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. However, there are signs that non-Windows malware does exist. For instance, one of the sinkholed C&C domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).“
  14. 14. C&C Infrastructure : Equation Group All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information. Vast C&C infrastructure that includes more than 300 domains and more than 100 servers. Servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
  15. 15. Contact me : anupam605@gmail.com http://about.me/anupam.tiwari https://www.youtube.com/user/a nupam50/videos

×