BUZZDIRECTION: BLATSTING reloaded

This time I will be taking a cursory look at a different malware framework in the EQGRP free dump: BUZZDIRECTION. BUZZDIRECTION is another modular rootkit, but more extensive than BLATSTING. This list classifies it as “a firewall software implant for Fortigate firewalls”, just like BLATSTING. Maybe it is just a successor for the same purpose, but maybe it is something more.

Read More

Imported back-catalogue

I’ve finally imported the posts from my old blog on blog.visucore.com, so that I can retire it and make it a redirect here. I’ve carefully tried to keep the slugs the same so that content will appear in the same place. This was partially manual work. Some links and formatting may be broken, either during the process or due to bit rot over time (the oldest posts are from 2010!). Let me know (or submit a pull request on github) if this is the case…

Read More

BLATSTING Command-and-Control protocol

In this installment I’m going to describe the Command-and-Control (or C&C) protocol of BLATSTING. This the protocol used in the network traffic between the malware and what is used by the person controlling it. I’m also going to see whether this traffic can be detected.

Read More

TADAQUEOUS moments

The one mystery module in the BLATSTING rootkit/malware/implant/… in the Equation Group dump is m12000000, or TADAQUEOUS. There is only one mention of it in the various documentation and scripts:

Read More

FEINTCLOUD

In the Equation Group dump many of the implants can announce themselves with beacons, especially the BIOS implants. These beacons are disguised as normal network packets, likely directed at fake hosts, to be intercepted by intermediate infrastructure. The list in BLATSTING beacon listening post module gives a possible list of disguises:

Read More

BLATSTING FUNKSPIEL

I’ve done a bit of reverse-engineering on the BLATSTING “modular rootkit” implant which was part of the recent Equation Group leak. I find it interesting as it injects into the Linux kernel, intercepts network traffic, and even injects packets as to redirect browser users to a site with pre-packaged exploits.

Read More