SlideShare ist ein Scribd-Unternehmen logo

Equation Group : Advanced Secretive Computer Espionage Group

Als PPTX, PDF herunterladen
A
anupriti

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Technologie
1 von 18
This presentation is based on a report by KASPERSKY by the name of the “ EQUATION GROUP: QUESTIONS AND ANSWERS”
What is Equation Group ? The Equation group is a highly sophisticated threat actor that has been engaged in multiple Computer Network Exploitation operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well- known “Regin” threat in complexity and sophistication.
Why called Equation Group ? In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. Called Equation group because of the love seen for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.
MalwareFamilyEquationGroup?
Exploits used Equation Group To keep a backdoor into a potentially interesting target’s computer The Equation group uses an implant known as DoubleFantasy (the internal Kaspersky Lab name) for the validation of their victims. The implant serves two purposes: To confirm if the victim is interesting; If so, the victim is upgraded to the EquationDrug or GrayFish platforms
What is Equation Drug? A victim doesn’t immediately get infected with EQUATIONDRUG. First, the attackers infect them with DOUBLEFANTASY, which is a validator-style plugin. If the victim is confirmed as interesting to the attackers, the EQUATIONDRUG installer is delivered. EQUATIONDRUG is one of the group’s most complex espionage platforms. The platform was developed between 2003 and 2013 and subsequently replaced by GrayFish.
What is GRAYFISH ? GRAYFISH is the most modern and sophisticated malware implant from the Equation group. It is designed to provide “invisible” persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.
An interesting observation: the first stage GRAYFISH loader computes the SHA-256 hash of the NTFS of system folder (%Windows% or %System%) Object_ID one thousand times. INTERESTING GRAYFISH !!! The result is used as an AES decryption key for the next stage. This is somewhat similar to Gauss, which computed the MD5 hash over the name of its target folder 10,000 times and used the result as the decryption key.
What exploits EQUATION GROUP use? Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09-025. (CVE unknown). TTF exploit fixed with MS12-034 (possibly CVE-2012-0159). TTF exploit fixed with MS13-081 (possibly CVE-2013-3894). LNK vulnerability as used by Stuxnet. (CVE-2010-2568). CVE-2013-3918 (Internet Explorer). CVE-2012-1723 (Java). CVE-2012-4681 (Java).
How Do Victims Get Infected By EQUATION Group Malware? Equation group uses Multiple Techniques include: Self-replicating (worm) code – Fanny Physical media, CD-ROMs USB sticks + exploits Web-based exploits
Most Sophisticated thing about the EQUATION group? Ability to Infect the Hard Drive Firmware. Two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms are seen in findings.
EQUATION group VICTIM MAP
Non-Windows Malware from the Equation group? “ All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. However, there are signs that non-Windows malware does exist. For instance, one of the sinkholed C&C domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).“
C&C Infrastructure : Equation Group All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information. Vast C&C infrastructure that includes more than 300 domains and more than 100 servers. Servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
Contact me : anupam605@gmail.com http://about.me/anupam.tiwari https://www.youtube.com/user/a nupam50/videos

Empfohlen

Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?Simone Crete
 
Live Exploit - Chad Cravens
Live Exploit - Chad CravensLive Exploit - Chad Cravens
Live Exploit - Chad CravensIT-oLogy
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attackCysinfo Cyber Security Community
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiInsideView
 
Distribution Training
Distribution TrainingDistribution Training
Distribution TrainingZachary Howland
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Mikko Hypponen
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Gianni Amato
 

Empfohlen

Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?How to protect your Mac from Malware Attacks?
How to protect your Mac from Malware Attacks?Simone Crete
 
Live Exploit - Chad Cravens
Live Exploit - Chad CravensLive Exploit - Chad Cravens
Live Exploit - Chad CravensIT-oLogy
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attackCysinfo Cyber Security Community
 
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiSocial Espionage & CRM: Selling to Customer 2.0 - #SXSWi
Social Espionage & CRM: Selling to Customer 2.0 - #SXSWiInsideView
 
Distribution Training
Distribution TrainingDistribution Training
Distribution TrainingZachary Howland
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Mikko Hypponen
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Gianni Amato
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideWaqas Amir
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & GreyfishLeonardo Antichi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptAsert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptJuan Bosoms
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en MasseKurt Baumgartner
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
JavaSecure
JavaSecureJavaSecure
JavaSecureSangbeomKim
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-ArticleCondition Zebra (CONZebra)
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyTommie Walls
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviromentIqra khalil
 
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESTALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESanupriti
 
Cyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itCyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itanupriti
 

Weitere ähnliche Inhalte

Ähnlich wie Equation Group : Advanced Secretive Computer Espionage Group

Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideWaqas Amir
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & GreyfishLeonardo Antichi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptAsert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptJuan Bosoms
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyTommie Walls
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviromentIqra khalil
 

Ähnlich wie Equation Group : Advanced Secretive Computer Espionage Group (20)

Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & Greyfish
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-aptAsert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
Asert threat-intelligence-brief-2014-07-illuminating-etumbot-apt
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
JavaSecure
JavaSecureJavaSecure
JavaSecure
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
 
White box crytography in an insecure enviroment
White box crytography in an insecure enviromentWhite box crytography in an insecure enviroment
White box crytography in an insecure enviroment
 

Mehr von anupriti

TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESTALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESanupriti
 
Cyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itCyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itanupriti
 
IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M... IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M...anupriti
 
Coalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and ChallengesCoalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and Challengesanupriti
 
Proof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE GeneralsProof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE Generalsanupriti
 
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIMEBLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIMEanupriti
 
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies anupriti
 
BITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi ConferenceBITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi Conferenceanupriti
 
Hashgraph : An over view with example
Hashgraph : An over view with exampleHashgraph : An over view with example
Hashgraph : An over view with exampleanupriti
 
BITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCEBITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCEanupriti
 
Webinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALKWebinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALKanupriti
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensicsanupriti
 
Blockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical OverviewBlockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical Overviewanupriti
 
Quanity your Web Safety Score
Quanity your Web Safety ScoreQuanity your Web Safety Score
Quanity your Web Safety Scoreanupriti
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Harden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity NowHarden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity Nowanupriti
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Wirelurker
WirelurkerWirelurker
Wirelurkeranupriti
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisationanupriti
 

Mehr von anupriti (20)

TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIESTALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
TALLINN MANUAL & GLOBAL CYBER WARFARE POLICIES
 
Cyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand itCyber Security : An attempt to assimilate and technically understand it
Cyber Security : An attempt to assimilate and technically understand it
 
IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M... IETE mid-term symposium on digital forensics and information security : 23 M...
IETE mid-term symposium on digital forensics and information security : 23 M...
 
Coalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and ChallengesCoalition of IoT and Blockchain: Rewards and Challenges
Coalition of IoT and Blockchain: Rewards and Challenges
 
Proof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE GeneralsProof of Work and connect with BYZANTINE Generals
Proof of Work and connect with BYZANTINE Generals
 
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIMEBLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
BLOCKCHAIN ,BITCOIN & CRYPTOCURRENCIES WORLD : MECHANICS AND CYBER CRIME
 
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
Symposium on Legal Regulation of Bitcoin, Blockchain & Cryptocurrencies
 
BITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi ConferenceBITCOIN FORENSICS : Bsides Delhi Conference
BITCOIN FORENSICS : Bsides Delhi Conference
 
Hashgraph : An over view with example
Hashgraph : An over view with exampleHashgraph : An over view with example
Hashgraph : An over view with example
 
BITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCEBITCOIN FORENSICS : HAKON-2017 CONFERENCE
BITCOIN FORENSICS : HAKON-2017 CONFERENCE
 
Webinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALKWebinar on BITCOIN FORENSICS : BRIGHTTALK
Webinar on BITCOIN FORENSICS : BRIGHTTALK
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensics
 
Blockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical OverviewBlockchain and Bitcoin : A Technical Overview
Blockchain and Bitcoin : A Technical Overview
 
Quanity your Web Safety Score
Quanity your Web Safety ScoreQuanity your Web Safety Score
Quanity your Web Safety Score
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Harden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity NowHarden your LinkedIn Settings : A Necessity Now
Harden your LinkedIn Settings : A Necessity Now
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Regin
ReginRegin
Regin
 
Wirelurker
WirelurkerWirelurker
Wirelurker
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Equation Group : Advanced Secretive Computer Espionage Group

  • 1.
  • 2. This presentation is based on a report by KASPERSKY by the name of the “ EQUATION GROUP: QUESTIONS AND ANSWERS”
  • 3. What is Equation Group ? The Equation group is a highly sophisticated threat actor that has been engaged in multiple Computer Network Exploitation operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well- known “Regin” threat in complexity and sophistication.
  • 4. Why called Equation Group ? In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes. Called Equation group because of the love seen for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.
  • 6. Exploits used Equation Group To keep a backdoor into a potentially interesting target’s computer The Equation group uses an implant known as DoubleFantasy (the internal Kaspersky Lab name) for the validation of their victims. The implant serves two purposes: To confirm if the victim is interesting; If so, the victim is upgraded to the EquationDrug or GrayFish platforms
  • 7. What is Equation Drug? A victim doesn’t immediately get infected with EQUATIONDRUG. First, the attackers infect them with DOUBLEFANTASY, which is a validator-style plugin. If the victim is confirmed as interesting to the attackers, the EQUATIONDRUG installer is delivered. EQUATIONDRUG is one of the group’s most complex espionage platforms. The platform was developed between 2003 and 2013 and subsequently replaced by GrayFish.
  • 8.
  • 9. What is GRAYFISH ? GRAYFISH is the most modern and sophisticated malware implant from the Equation group. It is designed to provide “invisible” persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.
  • 10.
  • 11. An interesting observation: the first stage GRAYFISH loader computes the SHA-256 hash of the NTFS of system folder (%Windows% or %System%) Object_ID one thousand times. INTERESTING GRAYFISH !!! The result is used as an AES decryption key for the next stage. This is somewhat similar to Gauss, which computed the MD5 hash over the name of its target folder 10,000 times and used the result as the decryption key.
  • 12. What exploits EQUATION GROUP use? Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09-025. (CVE unknown). TTF exploit fixed with MS12-034 (possibly CVE-2012-0159). TTF exploit fixed with MS13-081 (possibly CVE-2013-3894). LNK vulnerability as used by Stuxnet. (CVE-2010-2568). CVE-2013-3918 (Internet Explorer). CVE-2012-1723 (Java). CVE-2012-4681 (Java).
  • 13. How Do Victims Get Infected By EQUATION Group Malware? Equation group uses Multiple Techniques include: Self-replicating (worm) code – Fanny Physical media, CD-ROMs USB sticks + exploits Web-based exploits
  • 14. Most Sophisticated thing about the EQUATION group? Ability to Infect the Hard Drive Firmware. Two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms are seen in findings.
  • 16. Non-Windows Malware from the Equation group? “ All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. However, there are signs that non-Windows malware does exist. For instance, one of the sinkholed C&C domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).“
  • 17. C&C Infrastructure : Equation Group All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information. Vast C&C infrastructure that includes more than 300 domains and more than 100 servers. Servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.