Since 2001, and potentially as far back as 1996, the Equation Group has engaged in hacking targets around the world. Leveraging a sophisticated framework of exploitation tools including many 0-days to gain access, maintain persistence, and exfiltrate data from its targets. To give credit where credit is due, we recommend reading Kasperksy's blog and full report on the group they've dubbed "The Deathstar of Malware Galaxy".
The word "advanced" gets thrown around a lot in the cybersecurity community, but in the case of the Equation Group, it's completely appropriate. The group used incredibly sophisticated techniques for targeting and control including numerous encryption standards like RC4, RC6 and AES – ergo Kaspersky’s name assignment of “Equation”. Additionally, there are reports of their exploitation going into the BIOS of the computer system and even the firmware of the harddrives themselves.
I think few will doubt any claim that this may be some of the most sophisticated malware ever seen publicly. Not since Stuxnet have we seen this level of skill and determination.
Despite the sophistication however, CylancePROTECT blocks the malware used by the Equation Group.
Below is a list of samples taken from the Kasperksy report:
| Type | MD5 |
| EquationLaser installer | 752af597e6d9fd70396accc0b9013dbe |
| Disk from Houston autorun.exe with EoP exploits/EoP package and launcher | 6fe6c03b938580ebf9b82f3b9cd4c4aa |
| DoubleFantasy installer | 2a12630ff976ba0994143ca93fecd17f |
| EquationDrug installer (LUTEUSOBSTOS) | 4556ce5eb007af1de5bd3b457f0b216d |
| GrayFish installer | 9b1ca66aab784dc5f1dfe635d8f8a904 |
| Fanny worm | 0a209ac0de4ac033f31d6ba9191a8f7a |
| TripleFantasy loader DLL | 9180d5affe1e5df0717d7385e7f54386 |
| TripleFantasy encrypted payload | ba39212c5b58b97bfc9f5bc431170827 |
| _SD_IP_CF.dll - unknown / DoubleFantasy installer + LNK exploit package | 03718676311de33dd0b8f4f18cffd488 |
| nls_933w.dll - HDD reprogramming module | 11fb08b9126cdb4668b3f5135cf7a6c5 |
| standalonegrok_2.1.1.1 / GROK keylogger | 24a6ec8ebf9c0867ed1c097f4a653b8d |
After running each sample through our machine learning algorithms, we find that all of them are guilty of being malicious and would have been blocked had they attempted to execute on any system running CylancePROTECT.
Figure 2: CylancePROTECT detects and prevents any of the Equation Group’s samples from ever executing, meaning the system is completely protected.
Regardless of the sophistication, even BIOS bootkits or malicious hard drive firmware updates have to start somewhere, and that somewhere is almost always in the form of an executable that will be blocked by CylancePROTECT. We will never claim perfection, but we have created the closest threat protection product in the world to it.
Don’t believe us? Try out the "security unicorn" for yourself.
Stuart McClure
CEO/Founder
Cylance, Inc.
P.S. After publishing, we came across more samples to test against CylancePROTECT. In a forum post by a user named DKK, dating all the way back to 2010, it appears they came across a version of fanny – part of the Equation Group's toolkit. At the time DKK wrote: "How is this virus launching and infecting the computer? Via the plug and play service? What's the significance of all those *.lnk files?". We know that Stuxnet exploited .lnk files via an 0-day. After dropping these samples into a CylancePROTECT'd system, you can see below how it was immediately detected and its execution was prevented. Hat tip to ArsTechnica for unearthing this.
