How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last | Ars Technica
[h=2]Six codenames[/h]In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group. They include:EquationLaser: an early implant in use from 2001 to 2004.
DoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People who are confirmed get upgraded to either EquationDrug or GrayFish.
EquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and 18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file systems to conceal malicious files and stolen data.
It was delivered only after a target had been infected with DoubleFantasy and confirmed to be a target. It was introduced in 2002 and was phased out in 2013 in favor of the more advanced GrayFish.
GrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms. It resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas EquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a vulnerability in the CloneCD driver ElbyCDIO.sys—and possibly drivers of other programs—to bypass Windows code-signing requirements.
Fanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was to conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the Internet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later plugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker commands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be executed. This process would continue each time the stick was switched between air-gapped and Internet-connected machines.
[h=2]Six codenames[/h]In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group. They include:EquationLaser: an early implant in use from 2001 to 2004.
DoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People who are confirmed get upgraded to either EquationDrug or GrayFish.
EquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and 18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file systems to conceal malicious files and stolen data.
It was delivered only after a target had been infected with DoubleFantasy and confirmed to be a target. It was introduced in 2002 and was phased out in 2013 in favor of the more advanced GrayFish.
GrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms. It resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas EquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a vulnerability in the CloneCD driver ElbyCDIO.sys—and possibly drivers of other programs—to bypass Windows code-signing requirements.
Fanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was to conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the Internet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later plugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker commands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be executed. This process would continue each time the stick was switched between air-gapped and Internet-connected machines.