Security researchers at Check Point Research have published an in-depth analysis of DanderSpritz, a full-featured post-exploitation framework used by the Equation Group hackers.
DanderSpritz first came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the exploit tool as part of the “Lost in Translation” leak.
The framework is modular and contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing antivirus engines and conducting other malicious activities. Among these tools are plugins and complex components, including DoubleFeature, a Python-based dashboard, which, according to its own internal documentation “generates a log & report about the types of tools that could be deployed on the target.”
“A lot of the framework tools, in their own internal documentation, make the chilling claim that DoubleFeature is the only way to confirm their existence on a compromised system. After some pause, we figured that at least this means DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. DoubleFeature effectively, well, doubles as a diagnostic tool for victim machines carrying DanderSpritz,” the researchers noted in their report.
Due to its unique function as a logging module, DoubleFeature collects a large amount of data of various types. It writes all its log data to a debug log file named ~yh56816.tmp, which is encrypted using the AES algorithm. Unless the user changes the key manually, the default one used is badc0deb33ff00d.
Plugins monitored by DoubleFeature include remote access tools called UnitedRake (also known as EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), DiveBar (the part of KillSuit responsible for persistence methods), a parsing tool for the logging data called DiceDealer, and MistyVeal, an implant used to verify that the targeted system is indeed an authentic victim and not a research environment.
“It’s not often that we get such a candid glimpse into tools of this degree of sophistication, as the Shadow Brokers leak allowed us. The DanderSpritz-tier projects of the world are naturally covered by a shroud of secrecy — even, as we’ve seen, from fellow APT actors, who can maybe at best get their hands on a rival tool once in a blue moon, as happened with EpRom which led to the creation of Jian. As an industry, it turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights. On the defenders’ side, we have the duty to study these marvels of infosec engineering carefully and apply the lessons learned — before lower-tier, run-of-the-mills attacker do the same,” Check Point said.