Pierluigi Paganini
January 11, 2017
The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a precious archive containing hacking tools and exploits.
At the end of October, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .
The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.
The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.
The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.
The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.
Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.
Earlier December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.
We met Shadow Brokers last time in December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.
The hacking group is back and now it is selling another package of hacking tools, “Equation Group Windows Warez.” The new archive includes a collection of Windows exploits and tools to evade detection of antivirus solutions.
The first malware, the Remote Administration Tool (RAT) “DanderSpritz,” was included in the collection of documents leaked by Edward Snowden.
The group posted a message on their website on the ZeroNet, announcing the sale of the entire “Windows Warez” archive for 750 Bitcoin (around US$678,630).
The data dump offered for sale contains several hacking tools grouped in the following categories:
The malware researcher Jacob Williams published an analysis of the archive of “screenshots and output of the find command across the dump” provided by the ShadowBrokers.Williams started searching for info on the term “Psp_Avoidance” reported in one of the screenshots published by the group.
Making some Google Queries with the term “psp computer network operations” the researcher get back as the fifth result a page from ManTech. The page details the ACTP CNO Programmer Course and the course documentation indicates that PSP is an acronym for “Personal Security Product.”
“So, circling back around, what is Psp_Avoidance? Obviously, we don’t know – but if the acronym is correct, it would seem to be software built to evade personal security products, which directory listings suggest (as does ManTech) are antivirus programs.” wrote the expert.
The unique certainly at this moment is the availability for sale of a powerful arsenal also composed of hacking tools that could be exploited by a threat actor in the wild for large-scale espionage campaigns
But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.
[adrotate banner=”9″]
(Security Affairs – The Equation Group, ATP)
