Here I’ve taken the environment from the BLATSTING Command-and-Control protocol article and extended it, so that the emulator works as a router between an internal network with our victim and an external network, a mock version of the internet with just our attacker and one web server:
SECONDDATE is the most well-known of the spy toys in the EQGRP dump. It is a Man-in-the-Middle attack tool that is installed on intermediate routes. It can be used to fake DNS replies as well as inject HTTP redirects. This intercept article does a great job of explaining the operational side.
Among BLATSTING’s modules is one named
crypto_rsa. According to the name one’d expect it to implement the
well-known asymmetric cryptosystem going under that name.
This time I will be taking a cursory look at a different malware framework in the EQGRP free dump: BUZZDIRECTION. BUZZDIRECTION is another modular rootkit, but more extensive than BLATSTING. This list classifies it as “a firewall software implant for Fortigate firewalls”, just like BLATSTING. Maybe it is just a successor for the same purpose, but maybe it is something more.
This showterm session shows a transcript of a session controlling BLATSTING.
I’ve finally imported the posts from my old blog on blog.visucore.com, so that I can retire it and make it a redirect here. I’ve carefully tried to keep the slugs the same so that content will appear in the same place. This was partially manual work. Some links and formatting may be broken, either during the process or due to bit rot over time (the oldest posts are from 2010!). Let me know (or submit a pull request on github) if this is the case…
In this installment I’m going to describe the Command-and-Control (or C&C) protocol of BLATSTING. This the protocol used in the network traffic between the malware and what is used by the person controlling it. I’m also going to see whether this traffic can be detected.
The one mystery module in the BLATSTING rootkit/malware/implant/… in the Equation Group dump is
m12000000, or TADAQUEOUS. There is only one mention of it in the various documentation and scripts:
In the Equation Group dump many of the implants can announce themselves with
beacons, especially the BIOS implants. These beacons are disguised as normal
network packets, likely directed at fake hosts, to be intercepted by
intermediate infrastructure. The list in BLATSTING
beacon listening post
module gives a possible list of disguises:
I’ve done a bit of reverse-engineering on the BLATSTING “modular rootkit” implant which was part of the recent Equation Group leak. I find it interesting as it injects into the Linux kernel, intercepts network traffic, and even injects packets as to redirect browser users to a site with pre-packaged exploits.