8 May 2019

Chinese-linked cyberspies used Equation Group tools at least a year before Shadow Brokers leak

Chinese-linked cyberspies used Equation Group tools at least a year before Shadow Brokers leak

In August 2016 - April 2017 a mysterious group calling itself the Shadow Brokers released several dumps of tools attributed to NSA-linked Equation Group, which is considered to be one of the most technically adept espionage groups. The exposed data contained significant amount of codes, including DoublePulsar backdoor, the FuzzBunch framework, and EternalSynergy, EternalRomance, and the EternalBlue exploit tools. Many threat actors and malware authors were quick to grab the opportunity and add the malware to their arsenal. For instance, the EternalBlue exploit was used in the devastating May 2017 WannaCry ransomware outbreak.

However, Symantec’s research suggests that the Chinese-linked group, which is known as Buckeye, APT3, UPS Team, Gothic Panda, and TG-0110, was using the same NSA-linked tools at least a year before they were publicly leaked. According to the report, in March 2016, the group began using a variant of DoublePulsar backdoor designed to stealthily collect information and run malicious code on a target’s machine. DoublePulsar was delivered to the victims with the help of custom tool Trojan.Bemstour that was specifically designed to install DoublePulsar.

The Bemstour trojan allowed the attackers to achieve remote kernel code execution on targeted computers by using two Windows bugs – CVE-2019-0703 (zero-day vulnerability) and CVE-2017-0143. First one is the information leak vulnerability that could be exploited with conjunction with other bugs for remote code execution and the second is RCE flaw in SMBv1 server, which allows remote attackers to execute arbitrary code via crafted packets. CVE-2019-0703 was patched in March 2019, and the second one was addressed in March 2017.

Buckeye used the tools in attacks that targeted telecommunications companies, firms dedicated to scientific research and education institutions from March 2016 to the middle of 2017, according to Symantec. The attacks were aimed on organizations in Belgium, Hong Kong, Luxembourg, The Philippines, and Vietnam.

“How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown”, noted the researchers.

Buckeye had been active since at least 2009, but it appears that the group ceased its operations in mid-2017. In late November 2017, the US government formally accused three Chinese nationals for attacks launched by the hacker group against Siemens, Trimble, and Moody’s Analytics. However, despite no evidence of activity Symantec found that the development of Bemstour has continued into 2019. The most recent sample of Bemstour seen by the researchers appears to have been compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft. It is unclear who continued to use the tools in 2018 and 2019. The researchers don’t exclude the possibility that Buckeye passed on some of its tools to an associated group.  

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019