Researchers from the Pangu Lab of China have revealed details of a “top-tier” backdoor used by the Equation Group, an advanced persistent threat (APT) with purported links to the National Security Agency’s cyber-warfare intelligence-gathering arm (NSA).
The backdoor was discovered on Linux computers “after an in-depth forensic assessment of a host in a major domestic department” in 2013. It was dubbed “Bvp47” due to repeated references to the term “Bvp” and the numerical number “0x47” used in the encryption scheme. According to Pangu Lab, the attacks using Bvp47 were nicknamed “Operation Telescreen,” with the implant boasting “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”
Equation Group is the term given to a sophisticated adversary operating since 2001. It has employed previously unknown zero-day flaws to “infect victims, retrieve data and hide activity in an outstandingly professional way,” some of which were eventually incorporated into Stuxnet. Governments, telecom, energy, aerospace, oil and gas, nuclear research, nanotechnology, military, Islamic activists and academics, media, financial institutions, transportation, and firms developing encryption technologies have targeted a minimum of 42 nations.
The gang is thought to be tied to the National Security Agency’s Tailored Access Operations (TAO) unit. At the same time, intrusion efforts involving a second collective known as Longhorn (aka The Lamberts) have been linked to the CIA. Equation Group’s malware toolkit was made public in 2016 when the Shadow Brokers revealed the entire batch of flaws the elite hacking squad used. Kaspersky detected code-level similarities between the stolen files and samples identified as being used by the threat actor.
The Pangu Lab investigated two internally hacked servers, an email and an enterprise server designated V1 and V2, and an external domain (A). It also included an innovative two-way communication mechanism to exfiltrate sensitive data from the systems.
V1 connects to V2 through the SMB service simultaneously to do various actions, including logging in with an administrator account, enumerating directories, attempting to open terminal services, and running PowerShell scripts through scheduled tasks. V2 connects to V1 to obtain a PowerShell script and an encrypted second-stage payload. The encrypted execution results are transmitted back to V1, which, as per researchers, “acts as a data transfer between the A machine and the V2 server.”
The Bvp47 backdoor on the servers comprises two parts: a loader that decodes & loads the payload into memory and a backdoor. “Bvp47 generally lives in the Linux operating system in the demilitarized zone that communicates with the Internet,” the researchers said. “It mainly assumes the core control bridge communication role in the overall attack.”
Equation Group’s attribution to Pangu Lab is based on vulnerabilities found in a GPG-encrypted archive file leaked by the Shadow Brokers in August 2016 – “eqgrp-auction-file.tar.xz.gpg” – as part of a failed cyber weapons auction. The discovery is the second time in many months that previously unknown Equation Group malware has been uncovered. Check Point Research revealed a diagnostic utility dubbed “DoubleFeature” that works with the DanderSpritz malware architecture in late December 2021.