Security Researchers Find Unexpected Weakness in Equation Malware
First, the targeted computer is invaded by the GrayFish Trojan, either through phishing or an infected USB memory drive. Once it's in the computer, it takes over the Windows boot process. Once it's there, GrayFish uses an encrypted virtual file system that Symantec says is hidden inside the Windows registry. The Symantec report goes on to say that the Equation malware uses a number of specialized worms for propagation, including one that's designed to attack "air gapped" networks, meaning networks with no connection to the outside world. Either way, the first operational stage of the Equation malware is surveillance. Once resident on the targeted machine, the malware looks for indications that the computer contains information that would justify a more thorough examination. If the attackers decide that a computer's information is worth a look, the malware may either exfiltrate data via the network of through a USB stick. However, it's also possible that important data will be quietly stockpiled in small amounts on the infected device until a transmission is requested."It may seem unusual that a cyber-espionage platform as powerful as EquationDrug doesn't provide all-stealing capability as standard in its malware core," Raiu said in a prepared statement. "The answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future." If there's a ray of good news about the Equation malware, it's that it may not be something that cyber-criminals can adopt. Raiu said that he thinks it's beyond to ability of most cyber-criminals to reverse engineer the code, even though it's available. He did, however, say that a cyber-criminal could create a crude payload for the Equation malware that could effectively corrupt the hard disks of attacked computers, making them useless. In that case, the only goal of the attack would be to cause destruction. Raiu said that his group is going to publish the details of the firmware infecting hard disks in the near future, along with a list of computers that include the ability to check their own firmware.
The Kaspersky team said that one critical difference between the Equation malware and malware written by cyber-criminals is the way it selects information. One primary difference is that the nation state attackers only take the minimum amount of data necessary as a way to avoid attracting attention.