Researchers from China’s Pangu Lab have leaked details of a “top-tier” backdoor used by the Equation Group, an APT with alleged ties to the NSA. The backdoor, dubbed “Bvp47” because of numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm, was extracted from Linux systems in 2013 “during an in-depth forensic investigation of a host in a key domestic department.”
The attacks involving the deployment of Bvp47 were codenamed “Operation Telescreen” by Pangu Lab, with the implant featuring advanced covert channel behaviour based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.
Equation Group, dubbed the “crown creator of cyber espionage” by Russian security firm Kaspersky, is an advanced threat that has been active since at least 2001 and has used previously unknown zero-day exploits to “infect victims, retrieve data, and hide activity in an outstandingly professional manner,” some of which were later incorporated into Stuxnet.
Governments, telecom, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, media, transportation, financial institutions and companies developing encryption technologies have all been targeted in 42 countries.
The researchers reported that ,” Specifically, A sends a SYN packet with a 264-byte payload to the V1 server’s port 80, and then the V1 server immediately initiates an external connection to the A machine’s high-end port and maintains a large amount of exchange data.”
Simultaneously, V1 connects to V2 through the SMB service to perform a variety of operations, such as logging in to the latter with an administrator account, attempting to open terminal services, enumerating directories, and executing PowerShell scripts via scheduled tasks.
“During the course of analysing the ‘eqgrp-auction-file.tar.xz.gpg’ file, it was discovered that Bvp47 and the attacking tools in the compressed package, primarily ‘dewdrops,”suctionchar agents,’ ‘tipoffs,’ ‘StoicSurgeon,’ ‘incision,’ and other directories.”
Finally the researchers concluded that,” Based on the attack tools associated with the organisation, including Bvp47, the Equation group is indeed a first-rate hacking group. The tool is well-designed, powerful, and adaptable to a wide range of situations. Its network attack capability, armed with zero-day vulnerabilities, was unstoppable, and its data acquisition under covert control was simple. The Equation Group holds a commanding position in national-level cyberspace conflict.”