# Inside the EquationDrug Espionage Platform

## Introduction

EquationDrug is one of the main espionage platforms used by the Equation Group[[1]], a highly

sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation)

operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF][[2]]).

EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is
being pushed to new victims.

_EquationDrug represents the main espionage platform from the #EquationAPT Group_

_Tweet[[3]]_

It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes
a framework for conducting cyberespionage activities by deploying speci�c modules on the machines of

selected victims. The concept of a cyberespionage platform is neither new nor unique. Other threat actors

known to use such sophisticated platforms include Regin[[4]] and Epic Turla[[5]].

The EquationDrug platform can be extended through plugins (or modules). It is pre-built with a default

set of plugins supporting a number of basic cyberespionage functions. These include common features
such as �le collection and the making of screenshots. Sophistication is added by storing stolen data inside

a custom-encrypted virtual �le system before it is sent to the command and control servers.

The name "EquationDrug" or "Equestre" was assigned to this framework by Kaspersky Lab researchers.

The only reference left by the framework developers was a short string "UR", as seen in several string
artifacts left in the binaries.

## Platform Architecture

The EquationDrug platform includes dozens of executables, con�gurations and protected storage
locations. Putting all the pieces of this puzzle together in the right order may take time for those who are

not familiar with the platform.

_The platform includes executables, con�gurations and protected storage locations #EquationAPT_

_Tweet[[6]]_


1 f 30 03/22/2015 10 21 PM


-----

The architecture of the whole framework resembles a mini-operating system with kernel-mode and
user-mode components carefully interacting with each other via a custom message-passing interface. The

platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has

a unique ID and version number that de�nes a set of functions it can provide. Some of the plugins depend

on others and might not work unless dependencies are resolved.

[7]

[8]


2 f 30 03/22/2015 10 21 PM


-----

3 f 30 03/22/2015 10 21 PM


-----

4 f 30 03/22/2015 10 21 PM


-----

To install: run with no arguments
Attempting to drop

**SFCriteria_Check failed!**

**SFDriver**

Error detected! Uninstalling...
Timeout waiting for the "canInstallNow" event from the implant-speci�c EXE!

Trying to call privilege lib...

Hiding directory

Hiding plugin...
Merging plugin...

Merging old plugin key...

Couldn't reset canInstallNowEvent!

Performing UR-speci�c pre-install...
Work complete.

Merged transport manager state.

!!SFCon�g!!

Some other names, such as kernel object and �le names, abbreviations, resource code page and several
generic messages, point to English-speaking developers. Due to the limited number of such text strings

it's hard to tell reliably if the developers were native English speakers.

## Link Timestamp Analysis

We have gathered a reasonably large number of executable samples to which we have been able to apply
link timestamp analysis.

A link timestamp is a 4-bytes value stored in an executable �le header. This value is automatically set by

compiler software when a developer builds a new executable. The value contains a detailed timestamp
including minutes and even seconds of compilation time (think of it as the �le's moment of birth).

[13]

Link timestamp analysis require the collection of the timestamps of all available executables, grouping

them according to certain criteria, such as the hour or day of the week, and putting them on a chart. Below
are some charts built using this approach.

[14]


5 f 30 03/22/2015 10 21 PM


-----

[15]

[16]

Can we trust this information? The answer is: not fully, because the link timestamp can be altered by the

developer in a way that's not always possible to spot. However, certain indicators such as matching the
year on the timestamp with the support of technology popular in that year leads us to believe that the

timestamps were, at the very least, not wholly replaced. Looking at this from the other side, the easiest
option for the developer is to wipe the timestamp completely, replacing it with zeroes. This was not found

in the case of EquationDrug. In fact, the timestamps look very realistic and match the working days and

hours of a well-organized software developer from timezone UTC-3 or UTC-4, if you assume that they

come to work at 8 or 9 am.

_The timestamps match the working days of software developer from timezone UTC-3 or UTC-4_
_#EquationAPT_

_Tweet[[17]]_


6 f 30 03/22/2015 10 21 PM


-----

And �nally, in case you are wondering if the developers work on public holidays, you can check this for
yourself against the full list of their working dates:

2001.08.17 2007.12.11 2009.04.16 2011.10.20 2012.08.31 2013.06.11

2001.08.23 2007.12.17 2009.06.05 2011.10.26 2012.09.28 2013.06.26

2003.08.16 2008.01.01 2009.12.15 2012.03.06 2012.10.23 2013.08.09

2003.08.17 2008.01.23 2010.01.22 2012.03.22 2012.11.02 2013.08.28

2005.03.16 2008.01.24 2010.02.19 2012.04.03 2012.11.06 2013.10.16

2005.09.08 2008.01.29 2010.02.22 2012.04.04 2013.01.08 2013.11.04

2006.06.15 2008.01.30 2010.03.27 2012.04.05 2013.02.07 2013.11.26

2006.09.18 2008.04.24 2010.06.15 2012.04.12 2013.02.21 2013.12.04

2006.10.04 2008.05.07 2011.02.09 2012.07.02 2013.02.22 2013.12.05

2006.10.16 2008.05.09 2011.02.23 2012.07.09 2013.02.27 2013.12.13

2007.07.12 2008.06.17 2011.08.08 2012.07.17 2013.04.16

2007.10.02 2008.09.17 2011.08.30 2012.08.02 2013.05.08

2007.10.16 2008.09.24 2011.09.02 2012.08.03 2013.05.14

2007.12.10 2008.12.05 2011.10.04 2012.08.14 2013.05.24

## Conclusions

EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over
10 years, replacing EquationLaser until it was replaced itself by the even more sophisticated GrayFish

platform.

_The EquationDrug case demonstrates an interesting trend: a growth in code sophistication_
_#EquationAPT_

_Tweet[[18]]_

The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing

supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state
attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage

tools. You can make a basic browser password-stealer or a sniffer within days. However, nation-states are

focused on creating frameworks for wrapping such code into something that can be customized on live

systems and provide a reliable way to store all components and data in encrypted form, inaccessible to

normal users. While traditional cybercriminals mass-distribute emails with malicious attachments or
infect websites on a large scale, nation-states create automatic systems infecting only selected users.

While traditional cybercriminals typically reuse one malicious �le for all victims, nation-states prepare

malware unique to each victim and even implement restrictions preventing decryption and execution


7 f 30 03/22/2015 10 21 PM


-----

outside of the target computer.

_Nation-state attackers create automatic systems infecting only selected users #EquationAPT_

_Tweet[[19]]_

Sophistication of the framework is what makes this type of actor different from traditional cybercriminals,
who prefer to focus on payload and malware capabilities such as implementing a long list of custom

third-party software credential database parsers.

The difference in tactics between cybercriminals and nation-state attackers appears to be due to relative
resource availability. It's known that cybercriminals attempt to infect as many users as possible and that

they can sometimes compromise hundreds of thousands of systems. It would will take many years to

check all those machines manually, analyzing who owns them, what data is stored on them, and what

custom software they run.

Cybercriminals probably don't even have enough disk space to collect all the potentially interesting data

from the victims hit by their large scale infections. That is why cybercriminals prefer to extract tiny
chunks of the most important data (credentials, credit card numbers, etc) on the machine of the victim

and transfer only few kilobytes from each compromised host. Such data, when combined from all users,
normally takes up gigabytes of disk space.

Nation-state attackers have suf�cient resources to store as much data as they want. They have access to

virtually unlimited data storage. However, they don't need, and often try to avoid, infecting random users,
for the obvious reason of avoiding attention and remaining invisible. Implementing custom data format

parsers in the malware not only doesn't help them �nd all the valuable data on the victim's machine, but
may also attract extra attention from security software running on the system. They mostly prefer to have

a generic remote system management tool that can copy any information they might need even if it
causes some redundancy. However, copying large volumes of information might slow down network

connection and attract attention, especially in some countries with poorly developed internet
infrastructure. To date, nation-state attackers have had to balance between these two poles: copying

victims' entire hard drives while stealing only tiny bits of passwords and keys.

_Nation-state attackers use a remote system management tool that can copy any information they need_
_#EquationAPT_

_Tweet[[20]]_

Now, if you wonder why EquationDrug, a powerful cyberespionage platform, doesn't provide all stealing

capability as standard in its malware core, the answer is that they prefer to customize the attack for each

one of their victims. Only if they have chosen to actively monitor you and the security products on your
machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other
speci�c functions related to your activities. We believe modularity and customization will become a

unique trademark of nation-state attackers in the future.


8 f 30 03/22/2015 10 21 PM


-----

Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95,
which is accepted as one of supported platforms. While some other checks will not pass on Windows 95,

the presence of this code means that this OS was supported in some earlier variants of the malware.

Considering this and the existence of components designed to run on Windows 9x (such as VXD-�les), as

well as compilation timestamps dating back to early 2000s, the hypothesis that these attackers have been
active since the 90s seems realistic. This makes the current attacker an outstanding actor operating longer

than any other in the �eld.

## Technical Details

 Kernel mode stage 0 (Windows 9x) - mssvc32.vxd

**MD5** 0a5e9b15014733ee7685d8c8be81fb0d

**Size** 6 710 bytes

**Format Linear Executable (LE)**

This VXD driver handles only two control messages: W32_DeviceIoControl and Dynamic_Init. The

DeviceIoControl part is not completely implemented and the driver is only able to check for some known
control codes. However it does nothing. This handler looks more like a code stub rather than actual

payload.

On the Dynamic_Init event, the driver retrieves the location of the user-mode loader executable from the
following registry value:

_[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] Con�g_

If the value is not present in the registry, it uses the following fallback string hardcoded in the binary:

**C:\WINDOWS\SYSTEM\SVCHOST32.EXE**

Next, it installs a callback procedure using Windows function _SHELL_CallAtAppyTime. This procedure

will be called when CPU is running in ring-3 mode, so that a new executable (loader process) can be

started via the traditional way. This is a standard trick that was used by developers in the 90s to initiate a

call to DLL export in ring-3 from ring-0 in Windows 9x OS family.

## Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys

**MD5** c4f8671c1f00dab30f5f88d684af1927

**Size** 105 392 bytes


9 f 30 03/22/2015 10 21 PM


-----

10 f 30 03/22/2015 10 21 PM


-----

11 f 30 03/22/2015 10 21 PM


-----

12 f 30 03/22/2015 10 21 PM


-----

13 f 30 03/22/2015 10 21 PM


-----

con�guration block. However, data from the next location can override all previous settings. This is a
registry value with special name.

The naming of the registry location is the same GUID-like SHA1 value as the one used in the loader

("mscfg32.exe"), and is produced from the source string "Con�guration":

_[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {42E14DD3-_

_F07A-78F1-7659-26AE141569AC-E0B3EE89}_

The con�guration block stored in the registry value is encrypted using RC5 with the 1024-bit key. Both the

loader and the orchestrator share the same key for encrypting and decrypting the registry values in the

"MemSubSys" key.

The decrypted con�guration block consists of a series of tagged con�guration records in the following

format:

**[RecordType:DWORD][RecordSize: DWORD][RecordValue: %RecordSize%]**

We retrieved a copy of a con�guration block and decrypted and partly interpreted it. We are including the

results for one of the con�guration blocks:

**Time value: 1 year 0 months 1 days 22 hours 6 mins 52 secs. The orchestrator is expected to set this �eld**
to the time of initial con�guration.

**Binaries: 3x1024-bit encryption keys**
1b8e7818dad6345c53c2707a2c44648eee700d5cf34fea6a19a3fa0a6a871c72963fdded

91e2703c82b7747b8793e3063700da32cfb8d907dcce1beb36edd575418d1134ef188b
27ec3ce23711a656b0a8bf28921fbf1c39b4c90ad561e4174ed90f26ce11245bb9deb4b

4720403f47ca865ec8bbd3c1df9d93d042ff5b52ec6
05000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000

ed04953f3452068ae6439f04c7904c8be5e98e66e2cd0f267d65240aeed88bd4d3c6105
c99950dd42ccde4bc6bbaf9f6cb1b4e628d943e91f8f97f2aff705fdd25e3af6ba0bc4fd13

d67a2bcb751bb8f21f3d4b66c599f3e572802911394d142f8cf3a299d6d4558f9f0f01634

9afd1888472f4f8c729ffe913f670931f1a227

**C&C domain: www[dot]waeservices[dot]com**

**C&C IP address: 213.198.79.49**
**C&C port: 443**

**Timestamp: 2010-12-08 11:35:57**

**Tool Reference: VTT/82055898/STEALTHFIGHTER/ 2008-10-16/14:59:06.229-04:00**
**TimeoutA: 25200 sec (7 hours)**

**TimeoutB: 32400 sec (9 hours)**

**TimeoutC: 3600 sec (1 hour)**


14 f 30 03/22/2015 10 21 PM


-----

15 f 30 03/22/2015 10 21 PM


-----

We collected and decrypted several samples of such values. According to the code, they are initialized with
values of the Microsoft �letime format. So, we decided to interpret them as �letime values:

20101C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 23 hour(s) 32 min(s) 1 sec(s)

81E01C04EC2C17B: 1 year(s) 7 month(s) 8 day(s) 12 hour(s) 13 min(s) 5 sec(s)
E0001C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 1 hour(s) 6 min(s) 15 sec(s)

77101C04EC2C17B: 1 year(s) 5 month(s) 20 day(s) 19 hour(s) 15 min(s) 4 sec(s)

30F01C04EC2C17B: 1 year(s) 8 month(s) 0 day(s) 6 hour(s) 10 min(s) 33 sec(s)

C0901C04EC2C17B: 1 year(s) 8 month(s) 2 day(s) 6 hour(s) 29 min(s) 39 sec(s)
66701C04EC2C17B: 1 year(s) 6 month(s) 9 day(s) 2 hour(s) 10 min(s) 23 sec(s)

F6501C04EC2C17B: 1 year(s) 6 month(s) 6 day(s) 19 hour(s) 53 min(s) 22 sec(s)

01401C04EC2C17B: 1 year(s) 6 month(s) 25 day(s) 23 hour(s) 34 min(s) 13 sec(s)

After that, the module stores current time values in encrypted form in the registry value:

_[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {08DAB849-0E1E-_
_A1F0-DCF1-457081E091DB-117DB663} (encoded SHA1 of "StartTime")_

The module contains an additional compressed Windows DLL �le in the resource section, which is

extracted as "unilay.dll" (see below). This DLL exports a number of functions that are just wrappers of the
system API used to work with �les and the registry, and also start processes and load additional DLL �les.

The orchestrator contains several built-in plugins that form the core of the platform. These are initialized

in the �rst place, and then additional plugins are loaded. All the plugins are indexed in a single encrypted
registry value:

_[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] 1_

This value has information about all the components of the current kit. It may include Unicode strings

with paths to extra DLLs which serve as plugins. Each DLL exports at least four functions which are
imported by ordinal numbers from 1 to 4.

The structure of the registry value "1":

**[Count:DWORD]{ [Plugin Id:WORD][Plugin Path Length:DWORD][Plugin Path String:VARIABLE] }**

Plugins interact with each other and with the orchestrator by exchanging messages of pre-de�ned format.

The message transport is implemented as a global object that contains four communication streams.
Every stream contains a pair of kernel synchronization object handles (a semaphore with �xed maximum

value defaulted to 1000 and a mutex) and a message queue as an array. A dedicated thread processes

messages that appear in the message queues.

A message arrives in a parcel, represented as two DWORD values that contain the size of the message and

a pointer to the message data. The message data starts with a DWORD identifying a class of message (a


16 f 30 03/22/2015 10 21 PM


-----

request, reply, etc).

The orchestrator contains the following built-in plugins (listed by internal ID): 8000, 8022, 8024, 803C,

8046, 800A, 8042, 8002, 8004, 8006, 8008, 8070, 808E. Several additional built-in modules have been

discovered in newer versions of the orchestrator that was shipped with the GrayFish platform.

## EquationDrug Plugins:


**Plugin**

**ID**


**File name** **Description**


8000 _Built-in_ Core, basic API for other modules

8002 wshcom.dll C&C communication using Windows sockets

8004 _Built-in_ Additional message queue

8006 _Built-in_ Memory allocation / storage

8008 vnetapi32.dll& C&C communication code based on DoubleFantasy, using WinInet API

800A _Built-in_ C&C communication orchestrator

800C perfcom.dll HTTP communication

8022 khlp680w.dll System API: execute processes, load libraries, manipulate �les and directories

8024 cmib158w.dll Collects system information: OS version, computer name, user name, locale,

keyboard layout, timezone, process lists

8034 cmib456w.dll Management of the VFS backed by encrypted ".FON" �les in the
"Fonts\Extension" directory. Provides encryption using RC5 for these �les

803E nls_874w.dll Network sniffer

803C _Built-in_ Communication with the NDIS �lter part of "msndsrv.sys"

8040 khlp807w.dll Network exploration API, share enumeration and access

8042 _Built-in_ Compression library based on Nrv2d / UCL

8046 _Built-in_ Communication with the rootkit part of "msndsrv.sys"

8048 mstkpr.dll Disk forensics and direct NTFS reader based on sources of SleuthKit

8050 khlp760w.dll Additional encryption facilities for the �le-backed VFS

8058 khlp733w.dll Collects local system information, WMI information, cached passwords

8070 khlp747w.dll Enumerates processes and system objects

807A mscoreep32.dll Plugins for monitoring Internet Explorer and Mozilla browser activities

808A khlp866w.dll Compression library based on Zlib

808E _Built-in_ Reverse (PTR record) DNS resolver

8094 _Built-in_ In-memory storage


17 f 30 03/22/2015 10 21 PM


-----

18 f 30 03/22/2015 10 21 PM


-----

19 f 30 03/22/2015 10 21 PM


-----

The driver's �lename and device name differ across the samples. They depend on the name of the registry
key that is used to start the driver.

The driver may operate in one of two independent modes - as a network sniffer or as a memory patcher.

The mode of operation is selected on startup, based on the "Con�g2" value of the driver's registry key. By
default the driver starts in "sniffer mode".

### Sniffer mode

The sniffer code is similar to the one used in the driver's "tdip.sys" and "mstcp32.sys" and uses NT4
NDIS-4, XP NDIS-5 interfaces, targeting incoming traf�c on Ethernet and VPN (ndiswanip) interfaces. It

captures only directed packets (containing a destination address equal to the station address of the NIC).

Packers-�ltering engine rules may be set via DeviceIoControl messages. Filtered packets are stored

in-memory until requested. Maximum packets storage list length is 128 items per �ltering rule.

### Patcher mode

Almost broken, it does nothing interesting except, possibly, replace the thread's ServiceTable to an

unchanged, clear copy taken from the on-disk image of "ntoskrnl.exe".

**Sniffer only IOCTLs:**
44038004 - add �ltering rule

44038008 - clear stored packet in speci�ed �ltering rules list
4403800C - enable speci�ed �ltering rule

44038010 - disable speci�ed �ltering rule
44038014 - get stored packet from speci�ed �ltering rules list

44038018 - process packet like the one received from the wire (�lter and store)
4403801C - set maximum rules list length

44038020 - get maximum rules list length

80000004 - enablePacketsFiltering

80000008 - disablePacketsFiltering (PauseSniffer)

800024B4 - send packet to the speci�ed network interface

**Common IOCTLs:**

80000028 - do nothing (broken/unused part)
80000038 - set external object (broken/unused part)

8000003C - get 4 dwords struct (broken/unused part)

80000040 - copy 260 bytes from the request (broken/unused part)

80000320 - set I/O port mapping (broken/unused part)

80000324 - clear I/O port mapping (broken/unused part)
80000328 - set external PnP Event (broken/unused part)

80000640 - replace speci�ed thread's SDT (ETHREAD.ServiceTable �eld) to a given copy


20 f 30 03/22/2015 10 21 PM


-----

21 f 30 03/22/2015 10 21 PM


-----

22 f 30 03/22/2015 10 21 PM


-----

All incoming packets are �rst �ltered by BPF-like rules. The �ltering rules are located in [HKLM\System
_\CurrentControlSet\Services\%driver name%] Options registry value or passed via corresponding IOCTL._

Packets that passed through the �lter are added in the end of processing queue.

Packets from the queue must have valid checksum values. After checking that, the code XOR-decrypts
additional data from the end of the packet. The decrypted end of the packet contains another control

structure that de�nes which encryption algorithm is used to decipher packet body. Supported algorithms

include RC5 and RSA. There is a 1024-bits RSA public key hardcoded inside the module body, while a

96-bits RC5 key is generated dynamically.

The backdoor command may arrive in a single packet or be split into pieces and come with several

packets. There is a procedure for re-assembling pieces together: a multi-packet command is added to a

special packet collector which puts all the pieces together before passing it further.

**Backdoor command is stored in the �rst byte of the decrypted request and can be one of the following**

values:


**Command**

**Byte**


**Short Name** **Description**


0 StatusCheck Reply with encrypted DriverName, packet collector keys, "Processes"
and "Params" registry values, names of processes for code injection

(defaults are "services.exe" and "winlogon.exe"), list of unprocessed
commands from packet collector.

1 Panic Disable packet �ltering, securely delete driver �le, clear related
registry keys, set ClearPageFileAtShutdown �ag, unbind adapters,

delete devices and prepare for unloading. However, the driver cannot
unload itself and it remains in the memory until reboot, which means

it can be detected via DRIVER_OBJECT structure.

2 CodeInject Injects code implant received from packet body.

3 CallWinExec Disable Windows Audit and start new process via standard code

injection in Winlogon.exe.

4 ResetCollector Drop all packets with speci�c key from packet collector.

5 Unused or disabled

6 GenerateRC5Key Generates RC5 session key. 96-bits RC5 key is generated by taking a
SHA1 hash of value from KeTickCount, XOR-encrypt with SHA1 hash

of two PerformanceFrequency values, which is followed by nine more

additional SHA1 hashing.

7 SetRegProcesses Sets new "Processes" registry value.

8 DeleteRegProcesses Deletes current "Processes" registry value.

9 SetRegParams Sets a universal "Params" registry value which is used for storing any

information, i.e. could be a unique victim marker or exploitation stage


23 f 30 03/22/2015 10 21 PM


-----

24 f 30 03/22/2015 10 21 PM


-----

25 f 30 03/22/2015 10 21 PM


-----

26 f 30 03/22/2015 10 21 PM


-----

27 f 30 03/22/2015 10 21 PM


-----

28 f 30 03/22/2015 10 21 PM


-----

**Description** This (80AA) plugin is a HDD �rmware �ashing tool which includes an API and the

ability to read/write arbitrary information into hidden sectors on the disk.
The plugin will be the subject of a separate blogpost.

1. http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

2. https://securelist.com/�les/2015/02/Equation_group_questions_and_answers.pdf


3.


https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&

text=EquationDrug+represents+the+main+espionage+platform+from+the+%23EquationAPT+Group


4. http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

5. http://securelist.com/analysis/publications/65545/the-epic-turla-operation/


6.


https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&

text=The+platform+includes+executables%2C+con�gurations+and+protected+storage+locations+%23EquationAPT


7. http://cdn.securelist.com/�les/2015/03/EquationDrug_1.jpg

8. http://cdn.securelist.com/�les/2015/03/EquationDrug_1.jpg


9.

10.


https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&

text=The+hypothesis+that+these+attackers+have+been+active+since+the+90s+seems+realistic+%23EquationAPT

https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&text=86+modules+have+yet+to+be+discovered+%23EquationAPT


11. http://cdn.securelist.com/�les/2015/03/EquationDrug_2.jpg

12. http://cdn.securelist.com/�les/2015/03/EquationDrug_2.jpg

13. http://cdn.securelist.com/�les/2015/03/EquationDrug_3.jpg

14. http://cdn.securelist.com/�les/2015/03/EquationDrug_4.jpg

15. http://cdn.securelist.com/�les/2015/03/EquationDrug_4.jpg

16. http://cdn.securelist.com/�les/2015/03/EquationDrug_5_1.jpg

17. https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&

text=The+timestamps+match+the+working+days+of+software+developer+from+timezone+UTC-3+or+UTC
4+%23EquationAPT


18.

19.


https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&

text=The+EquationDrug+case+demonstrates+an+interesting+trend%3A+a+growth+in+code+sophistication+%23EquationAPT

https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside
the-equationdrug-espionage-platform%2F&text=Nation
state+attackers+create+automatic+systems+infecting+only+selected+users+%23EquationAPT


20. https://twitter.com/share?url=http%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F69203%2Finside

29 f 30 03/22/2015 10 21 PM


-----

the-equationdrug-espionage-platform%2F&text=Nation
state+attackers+use+a+remote+system+management+tool+that+can+copy+any+information+they+need+%23EquationAPT

21. http://www.pcreview.co.uk/forums/mstcp32-t1445152.html


30 f 30 03/22/2015 10 21 PM


-----