Equation Group Takes Precise Calculations
- Removable drives or USBs
- CDs distributed in certain events
- Fanny malware
Based on reports, attackers did their threat intelligence on their target networks via checking what sites and forums they (users) often visit. Once attackers have this information, they will put exploits on the said websites/forums, which the users download without their knowledge. Another delivery mechanism they used is via shipped physical media that were supposedly tampered.
What exploits were used in this targeted attack campaign?
Equation leveraged vulnerabilities to penetrate its targeted network. For instance, it used two exploits related to Stuxnet such as Windows Kernel EoP exploit (covered in MS09-025) and LNK vulnerability (covered in CVE-2010-2568). This leads to the conclusion that this attack may also be related to this threat. Attackers also leveraged the zero-day exploit found in Internet Explorer, which was covered in CVE-2013-3918. In addition, it also used two TFF exploits addressed in MS12-034 and MS13-081, respectively.
I am already using Trend Micro products. Am I protected from this threat?
Yes. Trend Micro product users are protected from this targeted attack via the following solutions:
Custom Defense Solutions:
Deep Discovery provides 360-degree network-wide visibility, insight and control that enterprises and government organizations need in order to reduce the risk of Advanced Persistent Threats (APTs) and targeted attacks.
Deep Discovery uniquely detects and identifies evasive threats in real-time, and provides in-depth analysis and actionable intelligence needed to prevent, discover and contain attacks against corporate data.
Trend Micro Deep Discovery Inspector is able to protect users and enterprises from Equation through a customized sandbox that identifies and analyzes the behavior of malware tools such as EQUATIONDRUG (detected as TROJ_DOTTUN.VTH), DOUBLEFANTASY (detected as TROJ_EQUATED.A), EQUESTRE, TRIPLEFANTASY (detected as TROJ_EQUATED.A), GRAYFISH (detected as TROJ_EQUATED.A), FANNY (detected as WORM_FANNY.AA), and EQUATIONLASER (detected as BKDR_LASSRV.B) that are invisible to standard security.
Cloud and Data Center Security
Trend Micro Deep Security provides a comprehensive server security platform designed to protect virtualized data centers from data breaches and business disruptions while enabling compliance.
Trend Micro Deep Security users are protected from the exploits used by Equation campaign in order to infiltrate the network via the following DPI rules:
For TTF exploit addressed in MS12-034:
- 1005008 - Win32k TrueType Font Parsing Vulnerability (CVE-2012-0159)
For LNK vulnerability covered in CVE-2010-2568:
- 1004314 - Identified LNK/PIF File Over SMTP
- 1004293 - Identified Microsoft Windows Shortcut File Over Network Share
- 1004294 - Identified Microsoft Windows Shortcut File Over WebDav
- 1004308 - Identified PIF File Over HTTP
- 1004304 - Identified Suspicious Microsoft Windows Shortcut File Over Network Share
- 1004302 - Microsoft Windows Shortcut Remote Code Execution
- 1005779 - Microsoft Internet Explorer ActiveX Control Code Execution Vulnerability (CVE-2013-3918)
- 1005785 - Restrict Information Card Signin Helper ActiveX Control
- BKDR_LASSRV.B (EquationLaser)
- TROJ_EQUATED.A (DoubleFantasy)
- TROJ_DOTTUN.VTH (EquationDrug)
- TROJ_EQUATED.A (GrayFish)
- WORM_FANNY.AA (Fanny)
- TROJ_EQUATED.A (TripleFantasy)