{ "id": "b87e9f34-1398-477e-8a37-8117f588b321", "created_at": "2026-04-06T00:12:39.316627Z", "updated_at": "2026-04-10T13:12:38.525116Z", "deleted_at": null, "sha1_hash": "9589e17e014f540c522ec848ceb3479f91a3e530", "title": "Inside the EquationDrug Espionage Platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1238755, "plain_text": "Inside the EquationDrug Espionage Platform\r\nBy GReAT\r\nPublished: 2015-03-11 · Archived: 2026-04-05 14:39:39 UTC\r\nIntroduction\r\nEquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that\r\nhas been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early\r\nas 1996. (See full report here [PDF]).\r\nEquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to\r\nnew victims.\r\nEquationDrug represents the main espionage platform from the #EquationAPT Group\r\nTweet\r\nIt’s important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework\r\nfor conducting cyberespionage activities by deploying specific modules on the machines of selected victims. The concept\r\nof a cyberespionage platform is neither new nor unique. Other threat actors known to use such sophisticated platforms\r\ninclude Regin and Epic Turla.\r\nThe EquationDrug platform can be extended through plugins (or modules). It is pre-built with a default set of plugins\r\nsupporting a number of basic cyberespionage functions. These include common features such as file collection and the\r\nmaking of screenshots. Sophistication is added by storing stolen data inside a custom-encrypted virtual file system before\r\nit is sent to the command and control servers.\r\nThe name “EquationDrug” or “Equestre” was assigned to this framework by Kaspersky Lab researchers. The only\r\nreference left by the framework developers was a short string “UR“, as seen in several string artifacts left in the binaries.\r\nPlatform Architecture\r\nThe EquationDrug platform includes dozens of executables, configurations and protected storage locations. Putting all the\r\npieces of this puzzle together in the right order may take time for those who are not familiar with the platform.\r\nThe platform includes executables, configurations and protected storage locations #EquationAPT\r\nTweet\r\nThe architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components\r\ncarefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a\r\nplatform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set\r\nof functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 1 of 26\n\nSimilar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked\r\nto the platform core, while others are loaded on demand.\r\nThe hypothesis that these attackers have been active since the 90s seems realistic #EquationAPT\r\nTweet\r\nThe platform is started by the kernel mode driver component (“msndsrv.sys” on Windows 2000 or above and\r\n“mssvc32.vxd” on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode\r\nloader “mscfg32.exe”. The loader then starts the platform’s central module (an orchestrator) from the “mscfg32.dll”\r\nmodule. Additional drivers and libraries may be loaded by different components of the platform, either built-in or\r\nauxiliary.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 2 of 26\n\nPlatform Components\r\nThe EquationDrug platform can be as sophisticated as a space station, but it appears to be of no use without its\r\ncyberespionage features. This function is provided by plugin modules that are part of the massive framework described\r\nabove. We discovered dozens of plugins and each is a sophisticated element that can communicate with the core and\r\nbecome aware of the availability of other plugins.\r\nThe plugins we discovered probably represent just a fraction of the attackers’ potential. Each plugin is assigned a unique\r\nplugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all\r\nstart from byte 0x80. The biggest plugin ID we have seen is 0x80CA. To date, we have found 30 unique plugin IDs in\r\ntotal. Considering the fact that the developers assigned plugin IDs incrementally, and assuming that other plugin IDs were\r\nassigned to modules that we have not yet discovered, it’s not hard to calculate that 86 modules have yet to be discovered.\r\n86 modules have yet to be discovered #EquationAPT\r\nTweet\r\nThe most interesting modules we have seen contain the following functionality:\r\nNetwork traffic interception for stealing or re-routing.\r\nReverse DNS resolution (DNS PTR records).\r\nComputer management:\r\nStart/stop processes\r\nLoad drivers and libraries\r\nManage files and directories\r\nSystem information gathering:\r\nOS version\r\nComputer name\r\nUser name\r\nLocale\r\nKeyboard layout\r\nTimezone\r\nProcess list\r\nBrowsing network resources and enumerating and accessing shares.\r\nWMI information gathering.\r\nCollection of cached passwords.\r\nEnumeration of processes and other system objects.\r\nMonitoring LIVE user activity in web browsers.\r\nLow-level NTFS filesystem access based on the popular Sleuthkit framework.\r\nMonitoring removable storage drives.\r\nPassive network backdoor (runs Equation shellcode from raw traffic).\r\nHDD and SSD firmware manipulation.\r\nKeylogging and clipboard monitoring.\r\nBrowser history, cached passwords and form auto-fill data collection.\r\nCode Artifacts\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 3 of 26\n\nDuring our research we paid attention to unique identifiers and codenames used by the developers in the malware. Most of\r\nthis information is carefully protected with obfuscation or encryption algorithms to prevent quick recognition, but anyone\r\nwho breaks through this layer of encryption may discover some interesting internal strings, as demonstrated below:\r\nSome other interesting text strings include:\r\nSkyhookChow Target\r\nSkyhookChow Payload\r\nDissecorp\r\nManual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00\r\nVTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00\r\nVTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00\r\nSTRAITSHOOTER30.ex_\r\nBACKSNARF_AB25\r\nc:\\users\\rmgree5\\co\\standalonegrok_2.1.1.1\\gk_driver\\gk_sa_driver…\r\nTo install: run with no arguments\r\nAttempting to drop\r\nSFCriteria_Check failed!\r\nSFDriver\r\nError detected! Uninstalling…\r\nTimeout waiting for the “canInstallNow” event from the implant-specific EXE!\r\nTrying to call privilege lib…\r\nHiding directory\r\nHiding plugin…\r\nMerging plugin…\r\nMerging old plugin key…\r\nCouldn’t reset canInstallNowEvent!\r\nPerforming UR-specific pre-install…\r\nWork complete.\r\nMerged transport manager state.\r\n!!SFConfig!!\r\nSome other names, such as kernel object and file names, abbreviations, resource code page and several generic messages,\r\npoint to English-speaking developers. Due to the limited number of such text strings it’s hard to tell reliably if the\r\ndevelopers were native English speakers.\r\nLink Timestamp Analysis\r\nWe have gathered a reasonably large number of executable samples to which we have been able to apply link timestamp\r\nanalysis.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 4 of 26\n\nA link timestamp is a 4-bytes value stored in an executable file header. This value is automatically set by compiler\r\nsoftware when a developer builds a new executable. The value contains a detailed timestamp including minutes and even\r\nseconds of compilation time (think of it as the file’s moment of birth).\r\nLink timestamp analysis require the collection of the timestamps of all available executables, grouping them according to\r\ncertain criteria, such as the hour or day of the week, and putting them on a chart. Below are some charts built using this\r\napproach.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 5 of 26\n\nCan we trust this information? The answer is: not fully, because the link timestamp can be altered by the developer in a\r\nway that’s not always possible to spot. However, certain indicators such as matching the year on the timestamp with the\r\nsupport of technology popular in that year leads  us to believe that the timestamps were, at the very least, not wholly\r\nreplaced. Looking at this from the other side, the easiest option for the developer is to wipe the timestamp completely,\r\nreplacing it with zeroes. This was not found in the case of EquationDrug. In fact, the timestamps look very realistic and\r\nmatch the working days and hours of a well-organized software developer from timezone UTC-3 or UTC-4, if you assume\r\nthat they come to work at 8 or 9 am.\r\nThe timestamps match the working days of software developer from timezone UTC-3 or UTC-4 #EquationAPT\r\nTweet\r\nAnd finally, in case you are wondering if the developers work on public holidays, you can check this for yourself against\r\nthe full list of their working dates:\r\n2001.08.17 2007.12.11 2009.04.16 2011.10.20 2012.08.31 2013.06.11\r\n2001.08.23 2007.12.17 2009.06.05 2011.10.26 2012.09.28 2013.06.26\r\n2003.08.16 2008.01.01 2009.12.15 2012.03.06 2012.10.23 2013.08.09\r\n2003.08.17 2008.01.23 2010.01.22 2012.03.22 2012.11.02 2013.08.28\r\n2005.03.16 2008.01.24 2010.02.19 2012.04.03 2012.11.06 2013.10.16\r\n2005.09.08 2008.01.29 2010.02.22 2012.04.04 2013.01.08 2013.11.04\r\n2006.06.15 2008.01.30 2010.03.27 2012.04.05 2013.02.07 2013.11.26\r\n2006.09.18 2008.04.24 2010.06.15 2012.04.12 2013.02.21 2013.12.04\r\n2006.10.04 2008.05.07 2011.02.09 2012.07.02 2013.02.22 2013.12.05\r\n2006.10.16 2008.05.09 2011.02.23 2012.07.09 2013.02.27 2013.12.13\r\n2007.07.12 2008.06.17 2011.08.08 2012.07.17 2013.04.16\r\n2007.10.02 2008.09.17 2011.08.30 2012.08.02 2013.05.08\r\n2007.10.16 2008.09.24 2011.09.02 2012.08.03 2013.05.14\r\n2007.12.10 2008.12.05 2011.10.04 2012.08.14 2013.05.24\r\nConclusions\r\nEquationDrug represents the main espionage platform from the Equation Group. It’s been in use for over 10 years,\r\nreplacing EquationLaser until it was replaced itself by the even more sophisticated GrayFish platform.\r\nThe EquationDrug case demonstrates an interesting trend: a growth in code sophistication #EquationAPT\r\nTweet\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 6 of 26\n\nThe EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state attackers are looking for better stability,\r\ninvisibility, reliability and universality in their cyberespionage tools. You can make a basic browser password-stealer or a\r\nsniffer within days.  However, nation-states are focused on creating frameworks for wrapping such code into something\r\nthat can be customized on live systems and provide a reliable way to store all components and data in encrypted  form,\r\ninaccessible to normal users. While traditional cybercriminals mass-distribute emails with malicious attachments or infect\r\nwebsites on a large scale, nation-states create automatic systems infecting only selected users. While traditional\r\ncybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and\r\neven implement restrictions preventing decryption and execution outside of the target computer.\r\nNation-state attackers create automatic systems infecting only selected users #EquationAPT\r\nTweet\r\nSophistication of the framework is what makes this type of actor different from traditional cybercriminals, who prefer to\r\nfocus on payload and malware capabilities such as implementing a long list of custom third-party software credential\r\ndatabase parsers.\r\nThe difference in tactics between cybercriminals and nation-state attackers appears to be due to relative resource\r\navailability. It’s known that cybercriminals attempt to infect as many users as possible and that they can sometimes\r\ncompromise hundreds of thousands of systems. It would will take many years to check all those machines manually,\r\nanalyzing who owns them, what data is stored on them, and what custom software they run.\r\nCybercriminals probably don’t even have enough disk space to collect all the potentially interesting data from the victims\r\nhit by their large scale infections. That is why cybercriminals prefer to extract tiny chunks of the most important data\r\n(credentials, credit card numbers, etc) on the machine of the victim and transfer only few kilobytes from each\r\ncompromised host. Such data, when combined from all users, normally takes up gigabytes of disk space.\r\nNation-state attackers have sufficient resources to store as much data as they want. They have access to virtually unlimited\r\ndata storage. However, they don’t need, and often try to avoid, infecting random users, for the obvious reason of avoiding\r\nattention and remaining invisible. Implementing custom data format parsers in the malware not only doesn’t help them\r\nfind all the valuable data on the victim’s machine, but may also attract extra attention from security software running on\r\nthe system. They mostly prefer to have a generic remote system management tool that can copy any information they\r\nmight need even if it causes some redundancy. However, copying large volumes of information might slow down network\r\nconnection and attract attention, especially in some countries with poorly developed internet infrastructure. To date,\r\nnation-state attackers have had to balance between these two poles: copying victims’ entire hard drives while stealing only\r\ntiny bits of passwords and keys.\r\nNation-state attackers use a remote system management tool that can copy any information they need\r\n#EquationAPT\r\nTweet\r\nNow, if you wonder why EquationDrug, a powerful cyberespionage platform, doesn’t provide all stealing capability as\r\nstandard in its malware core, the answer is that they prefer to customize the attack for each one of their victims. Only if\r\nthey have chosen to actively monitor you and the security products on your machines have been disarmed, will you\r\nreceive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe\r\nmodularity and customization will become a unique trademark of nation-state attackers in the future.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 7 of 26\n\nSome code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted\r\nas one of supported platforms. While some other checks will not pass on Windows 95, the presence of this code means\r\nthat this OS was supported in some earlier variants of the malware. Considering this and the existence of components\r\ndesigned to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to early 2000s, the\r\nhypothesis  that these attackers have been active since the 90s seems realistic. This makes the current attacker an\r\noutstanding actor operating longer than any other in the field.\r\nTechnical Details\r\nKernel mode stage 0 (Windows 9x) – mssvc32.vxd\r\nMD5 0a5e9b15014733ee7685d8c8be81fb0d\r\nSize 6 710 bytes\r\nFormat Linear Executable (LE)\r\nThis VXD driver handles only two control messages: W32_DeviceIoControl and Dynamic_Init. The DeviceIoControl part\r\nis not completely implemented and the driver is only able to check for some known control codes.  However it does\r\nnothing. This handler looks more like a code stub rather than actual payload.\r\nOn the Dynamic_Init event, the driver retrieves the location of the user-mode loader executable from the following\r\nregistry value:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] Config\r\nIf the value is not present in the registry, it uses the following fallback string hardcoded in the binary:\r\nC:\\WINDOWS\\SYSTEM\\SVCHOST32.EXE\r\nNext, it installs a callback procedure using Windows function _SHELL_CallAtAppyTime. This procedure will be called\r\nwhen CPU is running in ring-3 mode, so that a new executable (loader process) can be started via the traditional way. This\r\nis a standard trick that was used by developers in the 90s to initiate a call to DLL export in ring-3 from ring-0 in Windows\r\n9x OS family.\r\nKernel mode stage 0 and rootkit (Windows 2000 and above) – msndsrv.sys\r\nMD5 c4f8671c1f00dab30f5f88d684af1927\r\nSize 105 392 bytes\r\nFormat PE32 Native\r\nCompiled 2008.01.23 14:12:33 (GMT)\r\nLocation %System32%\\drivers\\msndsrv.sys\r\nThis module can create log files in the following known locations:\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 8 of 26\n\n%systemroot%\\system32\\mslog32.dat\r\n%systemroot%\\system32\\msperf32.dat (default location)\r\nThe driver acts as the first stage of the EquationDrug platform on Windows 2000+ and implements rootkit functions for\r\nhiding the components of the platform. Additionally, it implements a NDIS driver for filtering network traffic.\r\nWhen started and initialized, the driver retrieves the location of the user-mode loader executable from the registry value:\r\n[HKLM\\System\\CurrentControlSet\\Services\\%driver name%] Config\r\nThe %driver name% is not hardcoded and is obtained dynamically from the current module name, which means that\r\ndifferent instances may check different registry keys and this may not be a reliable way to check for infection. The sample\r\nwe analyzed used “msndsrv” as the %driver name%.\r\nNext, it crafts and injects a shellcode in “services.exe” or “winlogon.exe”. The shellcode is designed to spawn the loader\r\nprocess from the executable called “mscfg32.exe”.\r\nThe rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running\r\nprocesses. The components of EquationDrug can modify the list of protected objects by sending DeviceIoControl\r\nmessages to the driver. The driver also maintains a persistent list of protected objects that is stored in the following\r\nregistry values:\r\n[HKLM\\System\\CurrentControlSet\\Services\\%driver name%] 1\r\n[HKLM\\System\\CurrentControlSet\\Services\\%driver name%] 2\r\nThese values are also protected by the rootkit. They can be revealed by booting Windows in Safe Mode.\r\nThe driver contains the following unused strings:\r\n\\\\.\\mailslot\\dskInfo\r\nDissecorp\r\nUser-mode loader – mscfg32.exe, svchost32.exe\r\nMD5 c3af66b9ce29efe5ee34e87b6e136e3a\r\nSize 22 016 bytes\r\nFormat PE32 EXE\r\nCompiled 2008.01.23 14:26:05 (GMT)\r\nLocation %System32%\\mscfg32.exe\r\nThis module opens a unique event named “D0385CB7-B834-45d1-A501-1A1700E6C34E“. If the event exists, it waits\r\nfor 10 seconds and attempts to open a file whose name can be decrypted as “\\\\.\\MSNDSRV“. If the device file is\r\nsuccessfully opened, the code issues a device request with IOCTL code 0x80000194 and no parameters.\r\nThis module uses RC5 in CBC-like mode with a key length of 96-bit for string encryption.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 9 of 26\n\nCareful analysis reveals some bits of uninitialized memory found next to encryption key locations. This is unused but\r\npartly meaningful memory, because it seems to contain short chunks of strings resembling some local filepaths:\r\n“rver\\8” (probably part of “Server\\8…” string)\r\n“LInj” (could be a part of “DLLInjector” or similar)\r\nIt’s apparent that some parts of the code were designed to run on Windows 9x, for example a call to\r\nRegisterServiceProcess Windows API function makes sense only on Windows 9x OS family, because this API function\r\ndoesn’t exist on Windows NT platform.\r\nThe module uses a unique algorithm for generating registry value names. The code contains strings, such as\r\n“SkyhookChow Target“, that are converted to GUID-like strings by calculating SHA1 hash and using its hexadecimal\r\nrepresentation as a string. The resulting strings are used as actual registry value names in\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] registry key.\r\nSample registry value names:\r\nOriginal String GUID-like registry value name\r\nSkyhookChow Target {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06}\r\nSkyhookChow Payload {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12}\r\nThese registry values are encrypted using an RC5 algorithm using a hardcoded 1024-bit key with 24 rounds.\r\nThe registry value:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] {F4CF0326-6DCD-EEC8-5323-\r\n01CEDB66741A-B55F6F12} (“SkyhookChow Payload”)\r\nshould contain the location of the orchestrator DLL file (“mscfg32.dll”). If the value is not present a default value\r\n“%SYSTEM%\\mscfg32.dll” is used.\r\nThe registry value:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} (“SkyhookChow Target”)\r\nmay contain the location of the executable file that will be used as a “shell” process for the orchestrator library.\r\nThe module attempts to start the “shell” process in suspended mode. If there is no “SkyhookChow Target” value or the\r\nspecified executable fails to start, the module tries different failsafe locations of the programs that can be used instead:\r\n1. 1 Default browser set in the registry [HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\{current @default\r\nvalue}\\shell\\open\\command]\r\n2. 2 %SystemRoot%\\System32\\svchost.exe\r\n3. 3 %SystemRoot%\\System32\\lsass.exe\r\n4. 4 Spoolsv service binary from the [HKLM\\SYSTEM\\CurrentControlSet\\Services\\Spooler] ImagePath registry\r\nvalue.\r\n5. 5 Default html file handler from [HKLM\\SOFTWARE\\Classes\\htmlfile\\shell\\open\\command]registry value.\r\n6. 6 Internet Explorer path from [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\]\r\nIEXPLORE.EXE registry value.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 10 of 26\n\nNext, the module injects extra code into a newly started target process. The injected code loads the payload DLL\r\n(“mscfg32.dll”) into the target process and waits for the parent process to exit. When the parent process quits, it unloads\r\nthe payload DLL and exits as well. The rest of the logic relies on the loaded DLL in that new process. See the description\r\nof the “mscfg32.dll” module below.\r\nThe module communicates with the Stage0/Rootkit driver “msndsrv.sys” by sending DeviceIoControl messages to the\r\ndevice “\\\\.\\MSNDSRV”. It activates the rootkit for its own process, for the target process holding the orchestrator and for\r\nall the files involved.\r\nPlatform orchestrator – mscfg32.dll, svchost32.dll\r\nMD5 5767b9d851d0c24e13eca1bfd16ea424\r\nSize 249 856 bytes\r\nFormat PE32 DLL\r\nCompiled 2008.01.24 22:11:34 (GMT)\r\nLocation %System%\\mscfg32.dll\r\nCreates mutex: “01C482BA-BD31-4874-A08B-A93EA5BCE511“, or terminates if one already exists.\r\nWrites a timestamped log file to one of the following locations:\r\n%SystemRoot%\\temp\\~yh56816.tmp\r\nC:\\Windows\\Temp\\~yh56816.tmp\r\n%Registry_SystemRoot_Value%\\temp\\~yh56816.tmp\r\nValue of [HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] D\r\nThe file “~yh56816.tmp” retains the history of execution. It comprises debug records of simple structure:\r\n        Stage: DWORD | DateTimeLow: DWORD | DateTimeHigh: DWORD\r\nBasically, it logs the execution of every stage of the orchestrator and the time of execution. The Stage is an integer number\r\nstarting from 1.\r\nThis module spawns a new thread in the DllMain function which contains the main function body. The procedure disables\r\napplication error popups shown by the default exception handler. This is probably done only in the “Release” version of\r\nthe malware, because the following code generates exceptions that are reported to the user if application error popups are\r\nnot disabled. We assume that the “Debug” version of the code doesn’t suppress error popups when exception occurs as\r\nthis helps with the debugging of the code.\r\nThe module checks the OS version and if it encounters an unsupported operating system the code generates an exception\r\nwhich terminates the application. The list of OS versions that pass this test:\r\nWindows 95/98/ME\r\nWindows NT 4.0 and above.\r\nIf the module runs on Win9x, it executes Win9x-specific function RegisterServiceProcess to hide from the Windows Task\r\nManager application. If the module is NOT running on WinNT6.0+, it then attempts to open a virtual device file with one\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 11 of 26\n\nof the following names:\r\n\\\\.\\MSSVC32 on Win9x\r\n\\\\.\\MSNDSRV on WinNT\r\nIf the device file is successfully opened, the module activates a rootkit for its process and for the file location\r\n“%SYSTEM%\\unilay.dll” local path. This is followed by finding and terminating a process named “winproc.exe”\r\nwhich is the name of another component of the platform. Note that this part of the code is executed only on platforms\r\ndifferent from WinNT 6.x (Windows Vista and later).\r\nThe module was designed to fetch or update its main configuration data from different places. There are some default\r\nvalues set inside the code, such as some timeout values and the following C\u0026Cs:\r\nwww.waeservices[.]com\r\n213.198.79.49\r\nThese default values can be overwritten later.\r\nNext, it locates a data section called “Share2” in the current module and verifies the starting magic number. If it is\r\n0x63959700, it then decrypts the rest of the data in the section and interprets it as a configuration block. However, data\r\nfrom the next location can override all previous settings. This is a registry value with special name.\r\nThe naming of the registry location is the same GUID-like SHA1 value as the one used in the loader (“mscfg32.exe”), and\r\nis produced from the source string “Configuration”:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] {42E14DD3-F07A-78F1-7659-\r\n26AE141569AC-E0B3EE89}\r\nThe configuration block stored in the registry value is encrypted using RC5 with the 1024-bit key. Both the loader and the\r\norchestrator share the same key for encrypting and decrypting the registry values in the “MemSubSys” key.\r\nThe decrypted configuration block consists of a series of tagged configuration records in the following format:\r\n        [RecordType:DWORD][RecordSize: DWORD][RecordValue: %RecordSize%]\r\nWe retrieved a copy of a configuration block and decrypted and partly interpreted it. We are including the results for one\r\nof the configuration blocks:\r\nTime value: 1 year 0 months 1 days 22 hours 6 mins 52 secs. The orchestrator is expected to set this field to the time of\r\ninitial configuration.\r\nBinaries: 3×1024-bit encryption keys\r\n1b8e7818dad6345c53c2707a2c44648eee700d5cf34fea6a19a3fa0a6a871c72963fdded\r\n91e2703c82b7747b8793e3063700da32cfb8d907dcce1beb36edd575418d1134ef188b\r\n27ec3ce23711a656b0a8bf28921fbf1c39b4c90ad561e4174ed90f26ce11245bb9deb4b\r\n4720403f47ca865ec8bbd3c1df9d93d042ff5b52ec6\r\n05000000000000000000000000000000000000000000000000000000000000000000\r\n00000000000000000000000000000000000000000000000000000000000000000000\r\n00000000000000000000000000000000000000000000000000000000000000000000\r\n0000000000000000000000000000000000000000000000000000\r\ned04953f3452068ae6439f04c7904c8be5e98e66e2cd0f267d65240aeed88bd4d3c6105\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 12 of 26\n\nc99950dd42ccde4bc6bbaf9f6cb1b4e628d943e91f8f97f2aff705fdd25e3af6ba0bc4fd13\r\nd67a2bcb751bb8f21f3d4b66c599f3e572802911394d142f8cf3a299d6d4558f9f0f01634\r\n9afd1888472f4f8c729ffe913f670931f1a227\r\nC\u0026C domain: www[dot]waeservices[dot]com\r\nC\u0026C IP address: 213.198.79.49\r\nC\u0026C port: 443\r\nTimestamp: 2010-12-08 11:35:57\r\nTool Reference: VTT/82055898/STEALTHFIGHTER/ 2008-10-16/14:59:06.229-04:00\r\nTimeoutA: 25200 sec (7 hours)\r\nTimeoutB: 32400 sec (9 hours)\r\nTimeoutC: 3600 sec (1 hour)\r\nTimeoutD: 172800 sec (48 hours)\r\n+Several Unknown Values\r\nOther configuration blocks we discovered contained similar information, with only some unique values:\r\nTimestamp: 2009-11-23 14:10:15\r\nTool Reference: Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00\r\nTool Reference: VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00\r\nTool Reference: STRAITSHOOTER30.ex_\r\nTool Reference: VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00\r\nTool Reference: BACKSNARF_AB25\r\nDuring the next step, the module obtains PE file version information from the resource section. It loads the version info\r\nusing hard-coded module names, which are supposed to match the current module name:\r\nSVCHOST32.DLL for Windows 9x\r\nMSCFG32.DLL for Windows NT\r\nIf file version information is available, it gets language-specific values of the PrivateBuild block. The codepage and\r\nlanguages that are verified: Unicode, LANG_NEUTRAL and LANG_ENGLISH_US. When this check passes, the\r\nmodule gets @default registry value from the following location:\r\n[HKLM\\SOFTWARE\\Classes\\CLSID\\{091FD378-422D-A36E-8487-83B57ADD2109}] TypeLib\r\nIf the key is not found, the code checks for registry value TypeLib in the following key:\r\n[HKLM\\SOFTWARE\\Classes\\CLSID\\{091FD378-422D-A36E-8487-83B57ADD2109}]\r\nIf such a value is found, it is then deleted along with the Version value if it exists in the same key.\r\nThe string obtained from one of two possible registry values is processed as if this value is a CLSID-like string: the code\r\ntakes the last 16 hexadecimal digits, splits them in two 8-chars values, converts them to binary form (two DWORDs) and\r\nreverses the order of bytes in each DWORD and XORs, the first value with 0x8ED400C0, and the second with\r\n0x4FC2C17B.  Next, the first DWORD value becomes second and the second becomes first. In this order, they are stored\r\nin a structure in memory. These two values seem to be very important as they override a few values in the previously\r\nknown configuration. If they don’t exist, values from the current configuration replace them and are stored back in the\r\nregistry following the reverse procedure:\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 13 of 26\n\n1. 1 [HKLM\\SOFTWARE\\Classes\\CLSID\\{091FD378-422D-A36E-8487-83B57ADD2109}\\Version] is created and\r\n@default value is set to version obtained from file version information PrivateBuild field (i.e. 3.04.00.0001). This\r\nseems to be used as kit version number.\r\n2. 2 [HKLM\\SOFTWARE\\Classes\\CLSID\\{091FD378-422D-A36E-8487-83B57ADD2109}\\Version] is created and\r\n@default value is set to a CLSID like string generated from the following:\r\nFixed prefix string: “{8C936AF9-243D-11D0-“\r\nTwo important DWORD values in the format of “%04X-%04X%08X}” string.\r\nWe collected and decrypted several samples of such values. According to the code, they are initialized with values of the\r\nMicrosoft filetime format. So, we decided to interpret them as filetime values:\r\n20101C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 23 hour(s) 32 min(s) 1 sec(s)\r\n81E01C04EC2C17B: 1 year(s) 7 month(s) 8 day(s) 12 hour(s) 13 min(s) 5 sec(s)\r\nE0001C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 1 hour(s) 6 min(s) 15 sec(s)\r\n77101C04EC2C17B: 1 year(s) 5 month(s) 20 day(s) 19 hour(s) 15 min(s) 4 sec(s)\r\n30F01C04EC2C17B: 1 year(s) 8 month(s) 0 day(s) 6 hour(s) 10 min(s) 33 sec(s)\r\nC0901C04EC2C17B: 1 year(s) 8 month(s) 2 day(s) 6 hour(s) 29 min(s) 39 sec(s)\r\n66701C04EC2C17B: 1 year(s) 6 month(s) 9 day(s) 2 hour(s) 10 min(s) 23 sec(s)\r\nF6501C04EC2C17B: 1 year(s) 6 month(s) 6 day(s) 19 hour(s) 53 min(s) 22 sec(s)\r\n01401C04EC2C17B: 1 year(s) 6 month(s) 25 day(s) 23 hour(s) 34 min(s) 13 sec(s)\r\nAfter that, the module stores current time values in encrypted form in the registry value:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] {08DAB849-0E1E-A1F0-DCF1-\r\n457081E091DB-117DB663} (encoded SHA1 of “StartTime”)\r\nThe module contains an additional compressed Windows DLL file in the resource section, which is extracted as\r\n“unilay.dll” (see below). This DLL exports a number of functions that are just wrappers of the system API used to work\r\nwith files and the registry, and also start processes and load additional DLL files.\r\nThe orchestrator contains several built-in plugins that form the core of the platform. These are initialized in the first place,\r\nand then additional plugins are loaded. All the plugins are indexed in a single encrypted registry value:\r\n[HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\MemSubSys] 1\r\nThis value has information about all the components of the current kit. It may include Unicode strings with paths to extra\r\nDLLs which serve as plugins. Each DLL exports at least four functions which are imported by ordinal numbers from 1 to\r\n4.\r\nThe structure of the registry value “1”:\r\n[Count:DWORD]{ [Plugin Id:WORD][Plugin Path Length:DWORD][Plugin Path String:VARIABLE] }\r\nPlugins interact with each other and with the orchestrator by exchanging messages of pre-defined format. The message\r\ntransport is implemented as a global object that contains four communication streams. Every stream contains a pair of\r\nkernel synchronization object handles (a semaphore with fixed maximum value defaulted to 1000 and a mutex) and a\r\nmessage queue as an array. A dedicated thread processes messages that appear in the message queues.\r\nA message arrives in a parcel, represented as two DWORD values that contain the size of the message and a pointer to the\r\nmessage data. The message data starts with a DWORD identifying a class of message (a request, reply, etc).\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 14 of 26\n\nThe orchestrator contains the following built-in plugins (listed by internal ID): 8000, 8022, 8024, 803C, 8046, 800A,\r\n8042, 8002, 8004, 8006, 8008, 8070, 808E. Several additional built-in modules have been discovered in newer versions of\r\nthe orchestrator that was shipped with the GrayFish platform.\r\nEquationDrug Plugins:\r\nPlugin\r\nID\r\nFile name Description\r\n8000 Built-in Core, basic API for other modules\r\n8002 wshcom.dll C\u0026C communication using Windows sockets\r\n8004 Built-in Additional message queue\r\n8006 Built-in Memory allocation / storage\r\n8008 vnetapi32.dll\u0026 C\u0026C communication code based on DoubleFantasy, using WinInet API\r\n800A Built-in C\u0026C communication orchestrator\r\n800C perfcom.dll HTTP communication\r\n8022 khlp680w.dll System API: execute processes, load libraries, manipulate files and directories\r\n8024 cmib158w.dll\r\nCollects system information: OS version, computer name, user name, locale, keyboard\r\nlayout, timezone, process lists\r\n8034 cmib456w.dll\r\nManagement of the VFS backed by encrypted “.FON” files in the “Fonts\\Extension”\r\ndirectory. Provides encryption using RC5 for these files\r\n803E nls_874w.dll Network sniffer\r\n803C Built-in Communication with the NDIS filter part of “msndsrv.sys”\r\n8040 khlp807w.dll Network exploration API, share enumeration and access\r\n8042 Built-in Compression library based on Nrv2d / UCL\r\n8046 Built-in Communication with the rootkit part of “msndsrv.sys”\r\n8048 mstkpr.dll Disk forensics and direct NTFS reader based on sources of SleuthKit\r\n8050 khlp760w.dll Additional encryption facilities for the file-backed VFS\r\n8058 khlp733w.dll Collects local system information, WMI information, cached passwords\r\n8070 khlp747w.dll Enumerates processes and system objects\r\n807A mscoreep32.dll Plugins for monitoring Internet Explorer and Mozilla browser activities\r\n808A khlp866w.dll Compression library based on Zlib\r\n808E Built-in Reverse (PTR record) DNS resolver\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 15 of 26\n\n8094 Built-in In-memory storage\r\n809C Built-in In-memory storage\r\n80AA nls933w.dll HDD / SSD firmware manipulation\r\n80AE wpl913h.dll Keylogger and clipboard monitoring (aka “GROK”)\r\n80BE vnetapi.dll C\u0026C communication via WinHTTP API\r\n80C6 webmgr.dll\r\nExtracts web history, Mozilla/Internet Explorer-saved form data and cached\r\ncredentials\r\n80CA wshapi.dll C\u0026C communications interface via Windows sockets\r\nAdditional components\r\nUnilay.DLL\r\nThis module provides a compatibility layer for accessing system API functions for Windows 9x. It redirects Unicode\r\n(“W”) variants of Windows API functions to corresponding ANSI variants by converting Unicode string parameters to\r\nmulti-byte strings and calling the respective ANSI API.\r\nMD5 EF4405930E6071AE1F7F6FA7D4F3397D\r\nSize 9 728 bytes\r\nCompiled 2008.01.23 14:23:10 (GMT)\r\nFormat PE32 DLL, linker version 6.0 (Microsoft Visual C++ 6.0)\r\nExported functions (redirected to ANSI variants):\r\n100017EF: CopyFileW\r\n10001039: CreateDirectoryW\r\n10001111: CreateFileW\r\n100011B3: CreateProcessW\r\n10001177: DeleteFileW\r\n10001516: FindFirstChangeNotificationW\r\n10001466: FindFirstFileExW\r\n10001300: FindFirstFileW\r\n100014C6: FindNextFileW\r\n10001564: GetCurrentDirectoryW\r\n1000188F: GetFileAttributesW\r\n100016C6: GetStartupInfoW\r\n10001602: GetSystemDirectoryW\r\n10001664: GetWindowsDirectoryW\r\n10001853: LoadLibraryW\r\n1000178B: MoveFileExW\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 16 of 26\n\n1000172D: MoveFileW\r\n10001913: RegCreateKeyExW\r\n100019F5: RegDeleteKeyW\r\n10001DDF: RegDeleteValueW\r\n10001A39: RegEnumKeyExW\r\n10001BE2: RegEnumValueW\r\n1000199B: RegOpenKeyExW\r\n10001B23: RegQueryInfoKeyW\r\n10001D57: RegSetValueExW\r\n100010D5: RemoveDirectoryW\r\n10001E81: SHGetFileInfoW\r\n100015C6: SetCurrentDirectoryW\r\n100018CB: SetFileAttributesW\r\n10001E23: lstrcmpW\r\nNetwork-sniffer/patcher – atmdkdrv.sys\r\nMD5s\r\n8d87a1845122bf090b3d8656dc9d60a8\r\n214f7a2c95bdc265888fbcd24e3587da\r\nSize 41 440, 43 840 bytes\r\nFormat PE32 Native\r\nCompiled\r\n2009.04.16 17:19:30 (GMT)\r\n2008.05.07 19:55:14 (GMT)\r\nVersion Info\r\nFileDescription: Network Services\r\nLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000\r\nInternalName: atmdkdrv.sys\r\nor\r\nFileDescription: CineMaster C 1.1 WDM Main Driver\r\nLegalCopyright: Copyright 1999 RAVISENT Technologies Inc.\r\nInternalName: ATMDKDRV.SYS\r\nCreates a file storage “\\SystemRoot\\fonts\\vgafixa1.fon“. Its first word is set to 0x21 at the beginning of the DriverEntry\r\nfunction, and is replaced with 0x20 at the end of DriverEntry.\r\nThis driver appears to have been put together in “quick-and-dirty hack” style, using parts of the “mstcp32.sys” sniffer and\r\nother unknown drivers. It contains a lot of unused code which is partially broken or disabled. These include a broken\r\n“Dynamically disable/enable windows audit logging” subsystem and an incomplete “Patcher mode”.\r\nThere are three algorithms used for strings encryption – RC5; alphabet encryption like the one used in “mstcp32.sys”; and\r\nXOR with a pre-seeded random number generator. Decrypted strings are immediately encrypted back until the next usage\r\nto avoid in-memory detection.\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 17 of 26\n\nThe driver’s filename and device name differ across the samples. They depend on the name of the registry key that is used\r\nto start the driver.\r\nThe driver may operate in one of two independent modes – as a network sniffer or as a memory patcher. The mode of\r\noperation is selected on startup, based on the “Config2” value of the driver’s registry key. By default the driver starts in\r\n“sniffer mode”.\r\nSniffer mode\r\nThe sniffer code is similar to the one used in the driver’s “tdip.sys” and “mstcp32.sys” and uses NT4 NDIS-4, XP NDIS-5\r\ninterfaces, targeting incoming traffic on Ethernet and VPN (ndiswanip) interfaces. It captures only directed packets\r\n(containing a destination address equal to the station address of the NIC). Packers-filtering engine rules may be set via\r\nDeviceIoControl messages. Filtered packets are stored in-memory until requested. Maximum packets storage list length is\r\n128 items per filtering rule.\r\nPatcher mode\r\nAlmost broken, it does nothing interesting except, possibly, replace the thread’s ServiceTable to an unchanged, clear copy\r\ntaken from the on-disk image of “ntoskrnl.exe”.\r\nSniffer only IOCTLs:\r\n44038004 – add filtering rule\r\n44038008 – clear stored packet in specified filtering rules list\r\n4403800C – enable specified filtering rule\r\n44038010 – disable specified filtering rule\r\n44038014 – get stored packet from specified filtering rules list\r\n44038018 – process packet like the one received from the wire (filter and store)\r\n4403801C – set maximum rules list length\r\n44038020 – get maximum rules list length\r\n80000004 – enablePacketsFiltering\r\n80000008 – disablePacketsFiltering (PauseSniffer)\r\n800024B4 – send packet to the specified network interface\r\nCommon IOCTLs:\r\n80000028 – do nothing (broken/unused part)\r\n80000038 – set external object (broken/unused part)\r\n8000003C – get 4 dwords struct (broken/unused part)\r\n80000040 – copy 260 bytes from the request (broken/unused part)\r\n80000320 – set I/O port mapping (broken/unused part)\r\n80000324 – clear I/O port mapping (broken/unused part)\r\n80000328 – set external PnP Event (broken/unused part)\r\n80000640 – replace specified thread’s SDT (ETHREAD.ServiceTable field) to a given copy\r\nBackdoor driven by network sniffer – “mstcp32.sys”, “fat32.sys”\r\nMD5s 74DE13B5EA68B3DA24ADDC009F84BAEE\r\nB2C7339E87C932C491E34CDCD99FEB07\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 18 of 26\n\n311D4923909E07D5C703235D83BF4479\r\n21C278C88D8F6FAEA64250DF3BFFD7C6\r\nSize 57 328 – 57 760 bytes\r\nFormat PE32 Native\r\nCompiled\r\n2007.10.02 12:42:14 (GMT)\r\n2001.08.17 20:52:04 (GMT)\r\nVersion Info\r\nFileDescription: TCP/IP driver\r\nLegalCopyright: Copyright (C) Microsoft Corp. 1981-1999\r\nInternalName: mstcp32.sys\r\nThis is a sniffer tool similar to “tdip.sys” and it uses NT4 NDIS-4, XP NDIS-5 interfaces.  It targets incoming traffic on\r\nEthernet and VPN (ndiswanip) interfaces, but instead of dumb packet dumping, it uses received packets as commands for\r\nthe “process injector” subsystem that is able to extract and execute code from the specially crafted network packets.\r\nDefault filtering rules are stored in the “Options” registry value of the driver’s registry key. It captures only directed\r\npackets (containing a destination address equal to the station address of the NIC).\r\nThe driver’s filename and device name differ across the samples. They depend on the name of the registry key that is used\r\nto start the driver.\r\nCode Patcher\r\nThe driver patches OS code to dynamically disable or enable Windows audit logging.\r\nIt patches the function “LsapAdtWriteLog” in “lsasrv.dll” module of the “lsass.exe” process.\r\nIt searches for pre-defined signatures of the function “LsapAdtWriteLog” of known Windows versions – 4.0, 5.0, 5.1, 5.2\r\n(NT4, Win2000, XP, WinSrv2003).\r\nThen it selects a corresponding offset to replace the opcodes:\r\n‘jz’ to never taken ‘jo’ in case of XP\r\njmp over inner logic to procedure epilog in case of Windows Server 2003 so LsapAdtWriteLog skips logging of\r\naudit records\r\nThe module also patches “SepAdtLogAuditRecord” inside “ntoskrnl.exe” to “retn 4” instead of the first opcode of the\r\nfunction.\r\nThe disabled audit can be restored after a timeout or on-event by a dedicated thread.\r\nExpected IOCTL codes:\r\n80000004 – setFilteringRules\r\n80000008 – disablePacketsFiltering (PauseSniffer)\r\n80000028 – do nothing (possible broken GetDriverName)\r\n80000038 – disable_audit\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 19 of 26\n\n8000003C – enable_audit\r\nCode Injector\r\nThe code-builder within this module facilitates exploitation by providing up to four predefined execution templates, which\r\nseem to be suitable for generating several code patterns.\r\nBelow is a list of the execution templates we found:\r\nlocate a DLL via PEB structure and resolve exports\r\ncall single function\r\ncall four functions\r\ncall six functions\r\nUsing these as a base for the templates, the code-builder inserts parameters and proper offsets to call one of the following\r\ncode patterns:\r\nLocate and call WinExec\r\nLocate and call LoadLibraryW, GetProcAddress, call exported procedure, FreeLibrary\r\nLocate and call LoadLibraryW, GetProcAddress, call GetModuleHandle, FreeLibrary\r\nLocate and call OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, VirtualFreeEx,\r\nCloseHandle\r\nThe code injection procedure allocates memory via ZwAllocateVirtualMemory in services.exe and copies implanted code.\r\nAfter that it uses KeInsertQueueApc to let the code run and waits 30 seconds for APC to complete.\r\nWhen the module starts, it reads registry value [HKLM\\System\\CurrentControlSet\\Services\\%driver name%] Processes.\r\nThis value may contain a list of process names that should be started by injected executable code but only after\r\nservices.exe and winlogon.exe has been started. The injection of code into winlogon.exe and services.exe ensures that the\r\nnewly started process will have SYSTEM user privileges. During the injection stage Windows Audit Logging is fully\r\ndisabled to avoid leaving any suspicious records in Windows Logs.\r\nMagic Packet Recognition\r\nAll incoming packets are first filtered by BPF-like rules. The filtering rules are located in\r\n[HKLM\\System\\CurrentControlSet\\Services\\%driver name%] Options registry value or passed via corresponding\r\nIOCTL. Packets that passed through the filter are added in the end of processing queue.\r\nPackets from the queue must have valid checksum values. After checking that, the code XOR-decrypts additional data\r\nfrom the end of the packet. The decrypted end of the packet contains another control structure that defines which\r\nencryption algorithm is used to decipher packet body. Supported algorithms include RC5 and RSA. There is a 1024-bits\r\nRSA public key hardcoded inside the module body, while a 96-bits RC5 key is generated dynamically.\r\nThe backdoor command may arrive in a single packet or be split into pieces and come with several packets. There is a\r\nprocedure for re-assembling pieces together: a multi-packet command is added to a special packet collector which puts all\r\nthe pieces together before passing it further.\r\nBackdoor command is stored in the first byte of the decrypted request and can be one of the following values:\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 20 of 26\n\nCommand\r\nByte\r\nShort Name Description\r\n0 StatusCheck\r\nReply with encrypted DriverName, packet collector keys, “Processes” and\r\n“Params” registry values, names of processes for code injection (defaults are\r\n“services.exe” and “winlogon.exe”), list of unprocessed commands from\r\npacket collector.\r\n1 Panic\r\nDisable packet filtering, securely delete driver file, clear related registry keys,\r\nset ClearPageFileAtShutdown flag, unbind adapters, delete devices and\r\nprepare for unloading. However, the driver cannot unload itself and it remains\r\nin the memory until reboot, which means it can be detected via\r\nDRIVER_OBJECT structure.\r\n2 CodeInject Injects code implant received from packet body.\r\n3 CallWinExec\r\nDisable Windows Audit and start new process via standard code injection in\r\nWinlogon.exe.\r\n4 ResetCollector Drop all packets with specific key from packet collector.\r\n5 Unused or disabled\r\n6 GenerateRC5Key\r\nGenerates RC5 session key. 96-bits RC5 key is generated by taking a SHA1\r\nhash of value from KeTickCount, XOR-encrypt with SHA1 hash of two\r\nPerformanceFrequency values, which is followed by nine more additional\r\nSHA1 hashing.\r\n7 SetRegProcesses Sets new “Processes” registry value.\r\n8 DeleteRegProcesses Deletes current “Processes” registry value.\r\n9 SetRegParams\r\nSets a universal “Params” registry value which is used for storing any\r\ninformation, i.e. could be a unique victim marker or exploitation stage number.\r\na Unused or disabled\r\nb Ping Reply with classic ICMP Echo Response packet.\r\nc ChangeInjectTarget\r\nSet new target injection processes (defaults are “Winlogon.exe” and\r\n“Services.exe”). Effective until reboot.\r\nNote: “mstcp32” is mentioned together with rootkit-like behavior in 2004 here:\r\nhttp://www.pcreview.co.uk/forums/mstcp32-t1445152.html\r\nNetwork Sniffer – tdip.sys\r\nMD5s\r\n20506375665a6a62f7d9dd22d1cc9870\r\n60dab5bb319281747c5863b44c5ac60d\r\nSize 22448 – 28800 bytes\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 21 of 26\n\nFormat PE32 Native\r\nCompiled\r\n2006.10.16 18:42:40 (GMT)\r\n2003.08.17 21:47:33 (GMT)\r\nSupports the following versions of Windows: NT4 using NDIS-4 and XP using NDIS-5. Doesn’t use Vista and later\r\nNDIS-6 features. However, later NDIS versions are backward-compatible, so the driver is still valid for current versions of\r\nWindows.\r\nVersion Info:\r\nFileDescription: IP Transport Driver\r\nLegalCopyright: © Microsoft Corporation. All rights reserved.\r\nFileVersion: 5.1.2600.2180\r\nInternalName: tdip.sys\r\nThis driver is a packet sniffer for incoming-only traffic on Ethernet and VPN (ndiswanip) interfaces or any used with\r\nms_pschedmp as an alternative connection.\r\nIt implements a BPF (Berkeley packet filter) style packet-filtering system that is configured from the driver’s registry\r\nconfiguration values or from DeviceIoControl messages.\r\nThe captured network packets may be written to disk in libpcap format (magic 0xA1B2C3D4 version 2.4) and encrypted\r\nwith one-byte XOR, key 0xE3.\r\nThe driver’s configuration is stored in the registry key:\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\tdip]\r\nOptions – packet filtering rules in BPF format\r\nTag – selector of filtered packet types / Defaults in case of MediumWan to\r\nNDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_MULTICAST|NDIS_PACKET_TYPE_DIRECTED;\r\n(or NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_DIRECTED in any other case)\r\nImageFile – full path name to the resulting pcap file\r\nDuration – used as Length of the original packet in dump file. (default 0xffff)\r\nBackup – max size of the pcap file\r\nIOCTLs:\r\n0x80002004 getCurrentState\r\n0x80002008 setFilteringRules\r\n0x8000200C getFilteringRules\r\n0x80002024 getDumpFileSize\r\n0x80002010/0x80002014/0x80002018/0x8000201C pause/resume\r\n0x80002020 getVersion – returns 2.4.0\r\nDriver has three logical parts, and uses an incomplete function pointer table as interface:\r\n1. 1 Business logic: filtering rules, packet dumping, device ioctl, options\r\n2. 2 Ndis driver skeleton\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 22 of 26\n\n3. 3 Primitives lib: Strings, XORing, registry I/O\r\nThe code is of very good quality. It looks more complicated than Winpcap 2.3 (released 28 mar 2002), but less so than\r\nWinpcap 3.0 (released by 10 apr 2003). Interestingly, the driver identifies itself as “version 2.4” in the pcap file despite\r\nthere being no Winpcap version 2.4.\r\nKey/clipboard logger driver – msrtvd.sys\r\nMD5s\r\n98dea1bce37bf7087360e1958400589b\r\nbb8f56874189d5dfe9294f0553a49b83\r\nf6bf3ed3bcd466e5fd1cbaf6ba658716\r\nSize 31 488 – 36 736 bytes\r\nFormat PE32 Native\r\nCompiled\r\n2010.02.19 22:45:18 (GMT)\r\n2008.09.17 16:23:54 (GMT)\r\nVersion Info\r\nFileDescription: MSRTvd interface driver\r\nLegalCopyright: © Microsoft Corporation. All rights reserved.\r\nInternalName: msrtvd.sys\r\nThis is a keylogger and clipboard monitoring tool.\r\nOn startup, the driver creates a device named “\\Device\\Gk0” and a symbolic link named “\\DosDevices\\Gk“.\r\nThen it attaches to the csrss.exe process and disassembles user32.dll and ntdll.dll routines to obtain win32k.sys and\r\nntoskrnl.exe SDT services indexes and pointers of needed Nt/Zw APIs.\r\nThen, using a built-in disassembler, it obtains pointers to NtUserPeekMessage, NtUserGetMessage,\r\nNtUserGetClipboardData and using the disassembler again selects the parts of the code that will be then hooked by\r\nsplicing.\r\nThe interceptor routines are copied from a special PE section named “.msda”. These routines are able to collect key press\r\nchains and clipboard text data, add information about current Time, ProcessName, ForegroundWindowText,and\r\nUserName related to this event.\r\nA dedicated thread (“dumper”) gathers the collected data, compresses the results with LZO appends it every 30 minutes to\r\na file “%system-wide TEMP%\\tm154o.da“.\r\nMost strings inside are encrypted by XOR with a pre-seeded random number generator.\r\nIOCTLs:\r\n0x22002C -start dumper thread\r\n0x220030 – stop dumper thread\r\n0x220034 – check if the driver has new data to dump\r\n0x220038 – set two external events signaled on dump data availability (it references a plugin possibility)\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 23 of 26\n\n0x22003C – restart dumper thread\r\n0x220040 – get size of available data\r\nCollector plugin for Volrec – msrstd.sys\r\nMD5s\r\n69e7943f3d48233de4a39a924c59ed2c\r\n15d39578460e878dd89e8911180494ff\r\nSize 13 696 – 17 408 bytes\r\nFormat PE32 Native\r\nCompiled\r\n2009.06.05 16:21:55 (GMT)\r\n2009.12.15 16:33:52 (GMT)\r\nVersion Info\r\nFileDescription: msrstd driver\r\nLegalCopyright: © Microsoft Corporation. All rights reserved.\r\nInternalName: msrstd.sys\r\nThis driver is a plugin that collects events from the “volrec.sys” driver, and delivers them by sending DeviceIoControl\r\nmessages. It collects events about file and disk volume operations.\r\nOn startup the driver obtains a pointer to “\\Device\\volrec“, then creates a control device “\\Device\\msrstd0” and a\r\nsymbolic link to it named “\\DosDevices\\msrstd”\r\nAll strings inside the driver are encrypted by XOR with a pre-seeded random number generator.\r\nFor file events the driver collects the filenames, and caches data about read and write operations. For disk volume events it\r\nqueries disk properties and reads volume labels and disk serial numbers of removable drives (USB, FireWire drives).\r\nIOCTLs:\r\n0x220004 – turn on VolumeEvents collection\r\n0x220008 – turn off VolumeEvents collection\r\n0x22000C – retrieve previously stored VolumeEvent (operationType, deviceTypeFlags, VolumeLabel,\r\nvolumeSerialNumber, DosDriveLetter)\r\n0x220010 – turn on FileEvents collection\r\n0x220014 – turn off FileEvents collection\r\n0x220018 – retrieve previously stored FileEvent (fileName, deviceTypeFlags, VolumeLabel, volumeSerialNumber,\r\nDosDriveLetter)\r\n0x22001C – connect to Volrec.sys (send ioctl 0x220004), enable plugin operation\r\n0x220020 – disconnect from Volrec.sys (send ioctl 0x220008), disable plugin operation\r\nFilesystem filter driver – volrec.sys, scsi2mgr.sys\r\nMD5s\r\na6662b8ebca61ca09ce89e1e4f43665d\r\nc17e16a54916d3838f63d208ebab9879\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 24 of 26\n\nSize 14 464-14 848 byres\r\nFormat PE32 Native\r\nCompiled\r\n2009.06.05 16:21:57 (GMT)\r\n2009.12.15 16:33:57 (GMT)\r\nVersion Info\r\nFileDescription: Volume recognizer driver\r\nLegalCopyright: © Microsoft Corporation. All rights reserved.\r\nInternalName: volrec.sys\r\nThis driver is a generic filesystem filter which feeds system events to user-mode plugins.\r\nOn startup the driver creates a control device named “\\Device\\volrec” and a symbolic link to it named\r\n“\\DosDevices\\volrec0”. It then attaches all available filesystem devices.  It is also, able to handle removable storage\r\ndevices.\r\nAll strings inside the driver are encrypted by XOR with a pre-seeded random number generator.\r\nIOCTLs:\r\n0x220004 – setup plugin interface\r\n0x220008 – disable plugin calls\r\nThe driver handles the following system events:\r\nfile opened, created or closed\r\ndata is read or written to a file\r\nnew volume is mounted, unmounted\r\nnew USB or FireWire device attached\r\nHDD/SSD operation helper driver – WIN32M.SYS\r\nMD5s\r\n2b444ac5209a8b4140dd6b747a996653\r\nb3487fdd1efd2d1ea1550fef5b749037\r\nSize 19 456 – 26 631 bytes\r\nFormat PE32 Native, PE32+ Native\r\nCompiled\r\n2001.08.23 17:03:19 (GMT)\r\n2013.05.14 15:58:36 (GMT)\r\nDescription This module will be the subject of a dedicated blogpost.\r\nHDD/SSD firmware operation – nls_933w.dll\r\nMD5s\r\n11fb08b9126cdb4668b3f5135cf7a6c5\r\n9f3f6f46c67d3fad2479963361cf118b\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 25 of 26\n\nSize 212 480 – 310 272 bytes\r\nFormat PE32 DLL, PE32+ DLL\r\nCompiled\r\n2010.06.15 16:23:37 (GMT)\r\n2013.05.14 16:12:35 (GMT)\r\nVersion Info (64bit\r\ndll only)\r\nFileDescription: Windows Networking Library\r\nLegalCopyright: Copyright (C) Microsoft Corp. 1981-2001\r\nFileVersion: 80AA\r\nInternalName: nls_933w.dll\r\nOriginalFilename: nls_933w.dll\r\nPrivateBuild: 4.0.1.0\r\nProductName: Microsoft(R) Windows (R) 2000 Operating System\r\nProductVersion: 5.0.2074.0\r\nFull Version: 1.0.0.1\r\nDescription\r\nThis (80AA) plugin is a HDD firmware flashing tool which includes an API and the ability to\r\nread/write arbitrary information into hidden sectors on the disk.\r\nThe plugin will be the subject of a separate blogpost.\r\nSource: https://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nhttps://securelist.com/inside-the-equationdrug-espionage-platform/69203/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/" ], "report_names": [ "69203" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434359, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9589e17e014f540c522ec848ceb3479f91a3e530.pdf", "text": "https://archive.orkl.eu/9589e17e014f540c522ec848ceb3479f91a3e530.txt", "img": "https://archive.orkl.eu/9589e17e014f540c522ec848ceb3479f91a3e530.jpg" } }