Recent reports have indicated of a threat actor group, Equation that hit enterprises and large organizations in various industries and entities like governments, financial institutions, military, telecommunications, and transportation among others across the globe.
The said targeted attack employed different malware tools in order to infiltrate their target networks. These tools include EQUATIONDRUG (detected as TROJ_DOTTUN.VTH), DOUBLEFANTASY (detected as TROJ_EQUATED.A), EQUESTRE, TRIPLEFANTASY (detected as TROJ_EQUATED.A), GRAYFISH (detected as TROJ_EQUATED.A), FANNY (detected as WORM_FANNY.AA), and EQUATIONLASER (detected as BKDR_LASSRV.B). Accordingly, it shares similarities with Stuxnet, Flame, and Regin. Case in point, both Stuxnet and this targeted attack exploits a vulnerability found in shortcut files that allows random execution of code on the infected system.
How do user systems get infected with Equation?
Attackers use the following propagation means/methods in order to spread Equation infection:
Removable drives or USBs
CDs distributed in certain events
Based on reports, attackers did their threat intelligence on
their target networks via checking what sites and forums they (users) often
visit. Once attackers have this information, they will put exploits on the said
websites/forums, which the users download without their knowledge. Another
delivery mechanism they used is via shipped physical media that were supposedly
What exploits were used in this targeted attack campaign?
Equation leveraged vulnerabilities to penetrate its targeted network. For instance, it used two exploits related to Stuxnet such as Windows
Kernel EoP exploit (covered in MS09-025) and LNK vulnerability (covered in CVE-2010-2568).
This leads to the conclusion that this attack may also be related to this
threat. Attackers also leveraged the
zero-day exploit found in Internet Explorer, which was covered in CVE-2013-3918. In addition, it also used two TFF exploits
addressed in MS12-034 and MS13-081, respectively.
I am already using Trend Micro products. Am I protected from this
Yes. Trend Micro product users are protected from this
targeted attack via the following solutions:
Deep Discovery provides 360-degree network-wide visibility,
insight and control that enterprises and government organizations need in order to
reduce the risk of Advanced Persistent Threats (APTs) and targeted attacks.
Deep Discovery uniquely detects and identifies evasive
threats in real-time, and provides in-depth analysis and actionable
intelligence needed to prevent, discover and contain attacks against corporate
Micro Deep Discovery Inspector is able to protect users and enterprises
from Equation through a customized sandbox that identifies and analyzes the behavior
of malware tools such as EQUATIONDRUG (detected as TROJ_DOTTUN.VTH),
DOUBLEFANTASY (detected as TROJ_EQUATED.A), EQUESTRE, TRIPLEFANTASY (detected
as TROJ_EQUATED.A), GRAYFISH (detected as TROJ_EQUATED.A), FANNY (detected as WORM_FANNY.AA),
and EQUATIONLASER (detected as BKDR_LASSRV.B) that are invisible to standard
Cloud and Data Center
Security provides a comprehensive server security platform designed to protect
virtualized data centers from data breaches and business disruptions while
Trend Micro Deep Security users are protected from the
exploits used by Equation campaign in order to infiltrate the network via the
following DPI rules:
For TTF exploit addressed in MS12-034:
1005008 - Win32k TrueType Font Parsing Vulnerability (CVE-2012-0159)
For LNK vulnerability covered in CVE-2010-2568:
1004314 - Identified LNK/PIF File Over SMTP
1004293 - Identified Microsoft Windows Shortcut File Over Network Share
1004294 - Identified Microsoft Windows Shortcut File Over WebDav
1004308 - Identified PIF File Over HTTP
1004304 - Identified Suspicious Microsoft Windows Shortcut File Over Network Share
1004302 - Microsoft Windows Shortcut Remote Code Execution
1005779 - Microsoft Internet Explorer ActiveX Control Code Execution Vulnerability (CVE-2013-3918)
1005785 - Restrict Information Card Signin Helper ActiveX Control
Properly-configured endpoint solutions can ensure the prevention of coming into the machine or network. Components of OfficeScan Corporate Edition (OSCE) such as SmartScan, Web Reputation Service, Behavior Monitoring, and Smart Feedback offer the best protection against the attacks by Equation group via detecting the malicious files.