Sophisticated Self-Destructing Equation Malware Infects Thousands of Servers Worldwide

A group called Equation has reportedly been using multiple types of malware since 1996 to stage cyber attacks.

Cheryl Kemp

February 17, 2015

3 Min Read
Sophisticated Self-Destructing Equation Malware Infects Thousands of Servers Worldwide



This article originally appeared at The WHIR

Researchers have discovered a sophisticated, self-destructing malware that has the ability to affect hard drive firmware.

According to a report released on Monday by Kapersky Labs, a group called Equation has been using multiple types of malware since 1996 to stage cyber attacks. “The Equation group is probably one of the most sophisticated cyber attack groups in the world,” said the report, “and they are the most advanced threat actor we have seen.”

Kapersky identified more than 500 victims worldwide but because the malware contains a self-destruct mechanism, it estimates the actual number of victims to be in the tens of thousands. Servers, domain controllers, data warehouses, website hosting and other types of servers have been found with infections.

Command and control infrastructure used by Equation includes 300 domains and more than 100 servers in several countries including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.

Data collection and spying continues to make news with a never before seen complex surveillance software. In November, Symantec discovered Regin. “The level of sophistication and complexity of Regin suggests that the development of this threat could have taken well-resourced teams of developers many months or years to develop and maintain.” The newly identified software used by the Equation group is even more complex.

Called Equation for its love of algorithms and sophisticated threat methods, the group uses at least six kinds of malware to wreak havoc on unsuspecting indows systems. Equationdrug, doublefantasy, grayfish, equestre, triplefantasy and fanny are the varieties of malware identified in the report. Grayfish is the most complex of the tools residing in the registry and using bootkit to execute at startup.

Doublefantasy is initially used on victims to identify if they are interesting enough to be targeted and to keep a backdoor open in the system. If the target is deemed interesting, the Equation group moves forward with installing equationdrug on older operating systems and grayfish or triplefantasy on systems using Windows 7 or newer. These programs allow for full control of the operating system. The malware is primarily designed for Windows systems, however Kapersky did find evidence indicating there may be a Mac version of doublefantasy as well. It also noticed different code being shown to iPhone users which indicates they are also being targeted.

“GRAYFISH is the most modern and sophisticated malware implant from the Equation group,” according to the report. “It is designed to provide an effective (almost “invisible”) persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.” This scariest thing about this piece of software is that it’s the most complex that Kapersky has ever seen suggesting “developers of the highest caliber are behind its creation.”

Based on the level of development and the most targeted countries of attack being Iran, Russia, Pakistan, Afghanistan, India, China, Syria and Mail, it is speculated that the NSA or other government entity may be behind the Equation group. Target groups included governments and diplomatic institutions, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and companies developing cryptographic technologies, giving further support to the idea that the Equation group may be backed by government interests.

“Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before,” the report stated. “This is the ability to infect the hard drive firmware.”

The malware can survive a hard drive reformat and operating system reinstall.

This article originally appeared at:

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like