Analysis of Equation Group and espionage platform discovers another link to the NSA

March 12, 2015

Via: hacker

researchers continue to analyze the and digital artifacts tied to the Equation Group, a nation-state threat actor that has been active for almost twenty years, and to present their discoveries to the public.

They shared more information about EquationDrug, an espionage platform that the group used for over a decade, and has ultimately been replaced by a more sophisticated one dubbed GrayFish.

“The EquationDrug platform includes dozens of executables, configurations and protected storage locations,” they explained. “The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand.”

Read More