An analysis of the Equation Group malware that Kaspersky Lab revealed earlier this year may be the most advanced malware the company has ever seen, according to one of the lab’s top security technology experts.
The expert, Costin Raiu, Director of Kaspersky’s Global Research and Analysis team, said that the analysis also confirms suspicions that the group that created it is state-sponsored.
The telltale signs include date stamps that show that major development steps, such as compiling the code, took place between 9 a.m. and 5 p.m. Eastern Standard Time, and that those steps were only carried out on weekdays, something typical of government employees.
He also said that the level of sophistication, including the ability to use plug-ins, indicates capabilities far beyond those of cyber-criminals. Raiu said that his team kept track of the exact days that those steps took place, but that his team didn’t check to see if they avoided public holidays.
But there were a few new insights that the Kaspersky team found that show that there’s still a lot to learn about the Equation malware that’s sometimes called “EquationDrug.”
One is that the team has identified 35 plug-in modules for the malware so far, but the numbering scheme for each malware plug-in indicates that at least 101 plug-ins have been created. Raiu also said that the malware’s unique ability to infect the firmware of hard disk drives works with most brands and types of hard disks currently in the market, as well as with solid state drives.
However, there are limits to what the Equation malware can do. Raiu said that it does not appear that the malware can infect virtual storage or virtualized drives and it does not appear to be able to infect drives that are part of a RAID array. He added that this makes it appear that servers, and thus data centers, are not the target of the Equation malware. Instead, he said that it appears to be aimed at stand-alone computers or laptops.
Raiu also noted that the Equation malware may have bumped up against new technology. “Most modern hard drives from top brands around the world have some additional security measures and they check to see if the firmware is original,” he said. “If it’s not, they don’t allow the firmware to work.”
Additional research on the Equation malware by Symantec describes exactly how the malware functions. According to a statement in the company’s Security Response blog, an attack by the Equation malware takes place in stages.
Security Researchers Find Unexpected Weakness in Equation Malware
First, the targeted computer is invaded by the GrayFish Trojan, either through phishing or an infected USB memory drive. Once it’s in the computer, it takes over the Windows boot process. Once it’s there, GrayFish uses an encrypted virtual file system that Symantec says is hidden inside the Windows registry.
The Symantec report goes on to say that the Equation malware uses a number of specialized worms for propagation, including one that’s designed to attack “air gapped” networks, meaning networks with no connection to the outside world.
Either way, the first operational stage of the Equation malware is surveillance. Once resident on the targeted machine, the malware looks for indications that the computer contains information that would justify a more thorough examination.
If the attackers decide that a computer’s information is worth a look, the malware may either exfiltrate data via the network of through a USB stick. However, it’s also possible that important data will be quietly stockpiled in small amounts on the infected device until a transmission is requested.
The Kaspersky team said that one critical difference between the Equation malware and malware written by cyber-criminals is the way it selects information. One primary difference is that the nation state attackers only take the minimum amount of data necessary as a way to avoid attracting attention.
“It may seem unusual that a cyber-espionage platform as powerful as EquationDrug doesn’t provide all-stealing capability as standard in its malware core,” Raiu said in a prepared statement.
“The answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future.”
If there’s a ray of good news about the Equation malware, it’s that it may not be something that cyber-criminals can adopt. Raiu said that he thinks it’s beyond to ability of most cyber-criminals to reverse engineer the code, even though it’s available.
He did, however, say that a cyber-criminal could create a crude payload for the Equation malware that could effectively corrupt the hard disks of attacked computers, making them useless. In that case, the only goal of the attack would be to cause destruction.
Raiu said that his group is going to publish the details of the firmware infecting hard disks in the near future, along with a list of computers that include the ability to check their own firmware.
