Experts Explain How Equation Group Hackers Use DanderSpritz Framework's Logging Tool

Experts Explain How Equation Group Hackers Use DanderSpritz Framework’s Logging Tool

Researchers have provided a thorough look at a system called DoubleFeature, which is dedicated to tracking various stages of post-exploitation resulting from the Equation Group’s deployment of DanderSpritz, a complete malware framework.

DanderSpritz was discovered on April 14, 2017, when a hacker organization known as the Shadow Brokers published a report titled “Lost in Translation” that included the exploit tool and others. EternalBlue, a cyberattack vulnerability created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unsecured Windows PCs, was also included in the releases.

The tool is a modular, covert, and fully functioning framework for post-exploitation operations on Windows and Linux hosts relying on dozens of plugins. According to Check Point researchers, one of them is DoubleFeature. It serves as a “diagnostic tool for victim machines containing DanderSpritz.”

“DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them,” as per the Israeli cybersecurity firm. “It’s an incident response team’s pipe dream.”

DoubleFeature is a Python-based interface that doubles as a reporting utility to evade detection from an infected system to an attacker-controlled server. It’s designed to keep track of the types of tools placed on a target machine. A specific program named “DoubleFeatureReader.exe” is used to interpret the output.

DoubleFeature keeps track of several plugins, including remote access tools such as UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor known as StraitBizarre, an espionage platform known as KillSuit (aka GrayFish), a persistence toolset known as DiveBar, a covert network access driver known as FlewAvenue, and a validator implant known as MistyVeal that determines if the infected system is an actual victim machine rather than a test environment.

“Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes,” the researchers revealed. “Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.