In the Equation Group dump many of the implants can announce themselves with beacons, especially the BIOS implants. These beacons are disguised as normal network packets, likely directed at fake hosts, to be intercepted by intermediate infrastructure. The list in BLATSTING beacon listening post module gives a possible list of disguises:

FEINTCLOUD DNSDIRECT
FEINTCLOUD HTTP1
FEINTCLOUD NTP1
FEINTCLOUD PING-2
FEINTCLOUD PING_1_L
FEINTCLOUD TCPSYN

Beaconing would be silly when a host is implanted though remote exploitation as the target IP and the topology of their network is obviously known.

However I suppose that these are used when a host is implanted e.g. along the supply chain and it is unknown where it is going to end up on the network.

It would be interesting to look into this further to get an handle on which networks and hosts are infected. The above kinds of packets are typical ways to hide within a crowd on the internet, but periodical announcements with certain properties may stick out.

The “FEINTCLOUD” name doesn’t seem to turn up anything on Google. Has anyone encountered this project in one of the Snowden documents? It vaguely rings familiar.

Edit 2016-09-04: it looks like BBANJO (BANANABANJO?) in the BANANAGLEE framework is also a beaconing module, and various versions are available in the dump (Firewall/BANANAGLEE/*/Install/LP/Modules/PIX/BBANJO-*). May be interesting to reverse-engineer to get more insight. Could be fairly straightforward as local symbols such as obfuscate_payload1 are still present.

Note: I’m continuing work on reverse-engineering the BLATSTING rootkit and reporting here.