Cybersecurity researchers have presented an in depth glimpse right into a machine known as DoubleFeature that is devoted to logging the other phases of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework utilized by the Equation Workforce.
DanderSpritz got here to gentle on April 14, 2017, when a hacking crew referred to as the Shadow Agents leaked the exploit device, amongst others, underneath a dispatch titled “Misplaced in Translation.” Additionally integrated within the leaks used to be EternalBlue, a cyberattack exploit advanced via the U.S. Nationwide Safety Company (NSA) that enabled danger actors to hold out the NotPetya ransomware assault on unpatched Home windows computer systems.
The device is a modular, stealthy, and entirely practical framework that is determined by dozens of plugins for post-exploitation actions on Home windows and Linux hosts. DoubleFeature is one in every of them, which purposes as a “diagnostic device for sufferer machines sporting DanderSpritz,” researchers from Take a look at Level stated in a brand new record revealed Monday.
“DoubleFeature might be used as a type of Rosetta Stone for higher figuring out DanderSpritz modules, and methods compromised via them,” the Israeli cybersecurity company added. “It is an incident reaction crew’s pipe dream.”
Designed to take care of a log of the sorts of gear that may be deployed on a goal system, DoubleFeature is a Python-based dashboard that still doubles up as a reporting application to exfiltrate the logging data from the inflamed system to an attacker-controlled server. The output is interpreted the use of a specialised executable named “DoubleFeatureReader.exe.”
One of the plugins monitored via DoubleFeature come with far off get right of entry to gear known as UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy information exfiltration backdoor dubbed StraitBizarre, an espionage platform known as KillSuit (aka GrayFish), a patience toolset named DiveBar, a covert community get right of entry to driving force known as FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised machine is certainly an unique sufferer system and no longer a analysis setting.
“Now and again, the sector of high-tier APT gear and the sector of strange malware can appear to be two parallel universes,” the researchers stated. “Geographical region actors generally tend to [maintain] clandestine, gigantic codebases, carrying an enormous gamut of options which have been cultivated over a long time because of sensible want. It seems we too are nonetheless slowly chewing at the 4-year-old leak that exposed DanderSpritz to us, and gaining new insights.”