Overview of EquationGroup toolkit

shadoweye (40)in #security • 7 years ago (edited)

Our first set of analyses, as mentioned, is going to be about the EquationGroup malware, due to the vast corprus of leaked material, and the fact that few other people have done much analysis of anything beyond the exploits themselves.

This particular post functions as a kind of introduction to the NSA's toolkit, with a brief overview of what it contains.

I'd like to note that it's not very valuable to talk about the contents of the EquationGroup Linux malware leak as separate components in isolation, due to how strongly linked everything is. Each implant or tool generally, while capable of functioning independently in some fashion, is best used in tandem with others. As such, more important than the individual tools is the process. It is this process that differentiates the EquationGroup from other alleged agency adversaries, such as the Turla group, who, while equipped with their own mature Linux implants (best described in the Penquin Turla report, which documents the links between Turla and some early APT attacks from the 90s), do not (or have not been disclosed as) having an well-developed methodology and process.

It is important to note that this same process is the reason why the EquationGroup are so successful. Our analysis of the leaks indicate that their development team is relatively small, probably no more than ten people using standardized buildchains and development practices. The tools have clearly been developed over time, and indeed, one can, if taking a broad view, watch the development evolve over time in a similar manner to that of the general information security community (Perl, for example, slowly being phased out for Python). However, they've developed a prodigious amount of tools that automate and streamline the vast majority of the exploitation and post-exploitation, which allows the actual operators at the keyboard to tap into the experience and skills of the development team regardless of their own level.

Many of you have probably heard of, or noticed, the NOPEN RAT/backdoor client/server pair that is the NSA's main utility for any kind of UNIX; they seem to have a variant of it for everything from Linux to HPUX. It's a versatile and featurful backdoor that is one of the more important tools in the NSA's arsenal. It is through NOPEN that operators primarily, well, operate, and NOPEN is designed to work in tandem with a number of tools.

One thing it lacks is persistence mechanisms, being more of a post-exploitation tool; an example of the NSA's persistence toolkit is STOICSURGEON, a kernel-level rootkit with all the standard functionality that entails, such as hiding processes, directories, manipulating timestamps, and so on.

There's INCISION, which appears to be another rootkit (one that modifies /sbin/init. At least on HP, it doesn't appear to be able to hide network connections, presumably the reason for the development of STOICSURGEON. JACKLADDER is a malicious library, also for HP at least, but presumably other platforms. JACKLADDER on HP-UX communicates via means of an accept() function hook and additional special source ports that need to be triggered.

There are also ORANGUTANG, PATCHICILLIN, and RETICULUM, of which little has yet been seen, and SIDETRACK, which has a rather nifty python client for communicating with it. SLYHERETIC is an AIX-specific implant which injects itself into a system process, with two variants, persistent across reboots and not-persistent. Lack of the actual binary means it's not easy to work out exactly what mechanism SLYHERETIC uses to accomplish this. DITTOCLASS seems to be yet another kernel-level implant, and DEWDROP is a userland backdoor that appears to use ICMP (ala LOKI2). PORK is a backdoor that reads in the inetd file and essentially replaces inet.d, listening on all its ports and waiting for connections from a certain source port . Out of all of these, STOICSURGEON appears to be the most recent.

However, this isn't all NOPEN works with; there is also GREENSPIRIT (among others). GREENSPIRIT is a modular framework for both uploading NOPEN (gs.os.gr generates a oneliner, or, in NSA parlance, pasteable, for transferring NOPEN to a target), and also for post-exploitation. It turns NOPEN from a fairly mundane RAT into something like meterpreter for UNIX, with built-in scanning, interaction with other NSA tools, anti-forensics, and assorted other functionality. At a later date, we'll dive into GS in more detail, and discuss the tradecraft involved, and speculate a little about the development process.

In addition to this, other common tools include strifeworld, a kind of NSA-brand tcpdump, and also SHENTYSDELIGHT, which is an malicious shared object keylogger that appears to be loaded into userland via the LD_PRELOAD mechanism. DubMoat appears to be a backdoored OpenSSHd that logs credentials to the file /var/run/utmp~. Toast is a log-wiper, CUPS is a Clean UP Script (imaginative naming), and pclean appears to be a cleaner for the pacct file. SUCTIONCHAR appears to be some kind of keylogger, also, which allows for logging data from a variety of programs; the sample filter includes su, csh, login, passwd, telnet, ssh, rsh, and rlogin.

In general, most of the binaries have been compiled very similarly, which indicates the maturity of the toolchain; none of the implants expose any function names (those are all decrypted at runtime), nor any obviously malicious strings. No "NSA OWNS YOU" here.

There are, of course, the exploits, but I'm going to leave those to a colleague.

Later, we'll be looking at these tools in more depth.