CylancePROTECT™ vs. the Real World: Equation Group

Since 2001, and potentially as far back as 1996, the Equation Group has engaged in hacking targets around the world. Leveraging a sophisticated framework of exploitation tools including many 0-days to gain access, maintain persistence, and exfiltrate data from its targets. To give credit where credit is due, we recommend reading Kasperksy's blog and full report on the group they've dubbed "The Deathstar of Malware Galaxy".

The word "advanced" gets thrown around a lot in the cybersecurity community, but in the case of the Equation Group, it's completely appropriate. The group used incredibly sophisticated techniques for targeting and control including numerous encryption standards like RC4, RC6 and AES – ergo Kaspersky’s name assignment of “Equation”. Additionally, there are reports of their exploitation going into the BIOS of the computer system and even the firmware of the harddrives themselves.

I think few will doubt any claim that this may be some of the most sophisticated malware ever seen publicly. Not since Stuxnet have we seen this level of skill and determination.

Despite the sophistication however, CylancePROTECT blocks the malware used by the Equation Group.

Below is a list of samples taken from the Kasperksy report:

Type MD5
EquationLaser installer 752af597e6d9fd70396accc0b9013dbe
Disk from Houston autorun.exe with EoP exploits/EoP package and launcher 6fe6c03b938580ebf9b82f3b9cd4c4aa
DoubleFantasy installer 2a12630ff976ba0994143ca93fecd17f
EquationDrug installer (LUTEUSOBSTOS) 4556ce5eb007af1de5bd3b457f0b216d
GrayFish installer 9b1ca66aab784dc5f1dfe635d8f8a904
Fanny worm 0a209ac0de4ac033f31d6ba9191a8f7a
TripleFantasy loader DLL 9180d5affe1e5df0717d7385e7f54386
TripleFantasy encrypted payload ba39212c5b58b97bfc9f5bc431170827
_SD_IP_CF.dll - unknown / DoubleFantasy installer + LNK exploit package 03718676311de33dd0b8f4f18cffd488
nls_933w.dll - HDD reprogramming module 11fb08b9126cdb4668b3f5135cf7a6c5
standalonegrok_2.1.1.1 / GROK keylogger 24a6ec8ebf9c0867ed1c097f4a653b8d

After running each sample through our machine learning algorithms, we find that all of them are guilty of being malicious and would have been blocked had they attempted to execute on any system running CylancePROTECT.


Figure 2: CylancePROTECT detects and prevents any of the Equation Group’s samples from ever executing, meaning the system is completely protected.

Regardless of the sophistication, even BIOS bootkits or malicious hard drive firmware updates have to start somewhere, and that somewhere is almost always in the form of an executable that will be blocked by CylancePROTECT. We will never claim perfection, but we have created the closest threat protection product in the world to it.

Don’t believe us? Try out the "security unicorn" for yourself.

Stuart McClure
Cylance, Inc.

P.S. After publishing, we came across more samples to test against CylancePROTECT. In a forum post by a user named DKK, dating all the way back to 2010, it appears they came across a version of fanny – part of the Equation Group's toolkit. At the time DKK wrote: "How is this virus launching and infecting the computer? Via the plug and play service? What's the significance of all those *.lnk files?". We know that Stuxnet exploited .lnk files via an 0-day. After dropping these samples into a CylancePROTECT'd system, you can see below how it was immediately detected and its execution was prevented. Hat tip to ArsTechnica for unearthing this.