Mother of all spywares... infecting you since 1996

‘The Global Information Technology Report 2015’ - study released by the World Economic Forum (WEF), reveals ICT (information and communication technology) usage in on UAE. [Shutterstock]

It is being described as the mother of all spywares, buried deep inside hard disks and USB sticks, untraceable and with the ability to survive even root level reformatting.

Welcome to the new connected world. According to the Moscow-based Kaspersky Lab, the creators of the spyware is the Equation Group with links to Stuxnet that works together with the NSA, the US agency responsible for collecting intelligence.

According to Kaspersky, The Equation group is probably one of the most sophisticated cyberattack groups in the world and has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world.

“For several years, our research team has been closely monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide. The team has seen nearly everything, with attacks becoming increasingly complex as more nation-states got involved and tried to arm themselves with the most advanced tools. However, only now Kaspersky Lab’s experts can confirm they have discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades – The Equation Group,” it said in a note.

Some of the victims include government and diplomatic institutions, telecoms, aerospace, energy, nuclear research, oil and gas, military, mass media, financial institutions and even companies developing encryption technologies.

“Perhaps the most powerful tool in the Equation group's arsenal is a mysterious module known only by a cryptic name: "nls_933w.dll". It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM,” the post said.

What makes this programme unique is that it has an extreme level of persistence that helps to survive disk formatting and OS reinstallation. “If the malware gets into the firmware, it is available to “resurrect” itself forever. It may prevent the deletion of a certain disk sector or substitute it with a malicious one during system boot.

“Another dangerous thing is that once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” says Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

According to Kaspersky, another important factor is its ability to create an invisible, persistent area hidden inside the hard drive. It is used to save exfiltrated information which can be later retrieved by the attackers. Also, in some cases it may help the group to crack the encryption.

“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu explains.

It even allowed the attackers to attack networks that cannot be reached otherwise. The fanny worm it said stands out from all the attacks performed by the Equation group. “Its main purpose was to map air-gapped networks, in other words – to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.”

Explaining further it said an infected USB stick with a hidden storage area was used to collect basic system information from a computer not connected to the Internet and to send it to the C&C when the USB stick was plugged into a computer infected by Fanny and having an Internet connection. “If the attackers wanted to run commands on the air-gapped networks, they could save these commands in the hidden area of the USB stick. When the stick was plugged into the air-gapped computer, Fanny recognized the commands and executed them.”

What’s more the Equation group has a very powerful command and control infrastructure that includes more than 300 domains and more than 100 servers. The servers according to Kaspersky are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.


Print Email