EquationDrug

WMI information gathering.

Backdoor command is stored in the first byte of the decrypted request... 3 CallWinExec Disable Windows Audit and start new process via standard code injection in Winlogon.exe.

Next, the module injects extra code into a newly started target process. The injected code loads the payload DLL (“mscfg32.dll”) into the target process

The injection of code into winlogon.exe and services.exe ensures that the newly started process will have SYSTEM user privileges.

The driver also maintains a persistent list of protected objects that is stored in the following registry values... These values are also protected by the rootkit.

Magic Packet Recognition... Packets that passed through the filter are added in the end of processing queue... The backdoor command may arrive in a single packet or be split into pieces and come with several packets.

HDD and SSD firmware manipulation.

The platform is started by the kernel mode driver component (“msndsrv.sys” on Windows 2000 or above and “mssvc32.vxd” on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode loader “mscfg32.exe”.

Next, it crafts and injects a shellcode in “services.exe” or “winlogon.exe”. The shellcode is designed to spawn the loader process from the executable called “mscfg32.exe”.

The platform is started by the kernel mode driver component (“msndsrv.sys” on Windows 2000 or above and “mssvc32.vxd” on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode loader “mscfg32.exe”.

The driver acts as the first stage of the EquationDrug platform on Windows 2000+ and implements rootkit functions for hiding the components of the platform.

Next, it crafts and injects a shellcode in “services.exe” or “winlogon.exe”. The shellcode is designed to spawn the loader process from the executable called “mscfg32.exe”.

Code Patcher The driver patches OS code to dynamically disable or enable Windows audit logging.

Panic Disable packet filtering, securely delete driver file, clear related registry keys, set ClearPageFileAtShutdown flag, unbind adapters, delete devices and prepare for unloading.

Magic Packet Recognition... Packets that passed through the filter are added in the end of processing queue... The backdoor command may arrive in a single packet or be split into pieces and come with several packets.

HDD and SSD firmware manipulation.

The rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running processes.

The rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running processes.

The driver also maintains a persistent list of protected objects that is stored in the following registry values... These values are also protected by the rootkit.

Network traffic interception for stealing or re-routing.

Keylogging and clipboard monitoring.

Collection of cached passwords.

Browser history, cached passwords and form auto-fill data collection.

Network traffic interception for stealing or re-routing.

Enumeration of processes and other system objects.

Collects system information: OS version, computer name, user name, locale, keyboard layout, timezone, process lists

Computer management: Start/stop processes Load drivers and libraries Manage files and directories

Browsing network resources and enumerating and accessing shares.

Browsing network resources and enumerating and accessing shares.

Monitoring removable storage drives.

Keylogging and clipboard monitoring.

These include common features such as file collection and the making of screenshots.

Keylogging and clipboard monitoring.

Sophistication is added by storing stolen data inside a custom-encrypted virtual file system before it is sent to the command and control servers.

8002 wshcom.dll C&C communication using Windows sockets ... 80CA wshapi.dll C&C communications interface via Windows sockets

EquationDrug Plugins: Plugin ID File name Description 800C perfcom.dll HTTP communication ... 80BE vnetapi.dll C&C communication via WinHTTP API

Passive network backdoor (runs Equation shellcode from raw traffic).

Magic Packet Recognition... Packets that passed through the filter are added in the end of processing queue... The backdoor command may arrive in a single packet or be split into pieces and come with several packets.