[Disillusion]

I've managed to find infected boot sectors on VT but I'm looking for droppers for either.

http://www.microsoft.com/security/porta ... true#tab=1

Thanks

EDIT: Topic changed/moved to "[APT] Equation"

[Xylitol]

I've found only DOS/Fetrog.A that you have already probably.

[R136a1]

Hi folks,

attached is the x64 driver of Trojan:WinNT/Fetrog.A from 2012. Except a signature from Microsoft, there is no public information available about this malware. It seems to be a bigger project, maybe it's more than just another Chinese patchwork...

Remarkable strings:

KSDriver.pdb
\??\C:\Windows\TEMP\Net_U1ocike._2k
\??\C:\Windows\TEMP\f3t_0g.dat
\DosDevices\rmpdk0g
\Registry\Machine\System\CurrentControlSet\Services\ati2mtag\Parameters
\registry\machine\SYSTEM\CurrentControlSet\Services\EmcOM\Parameters
perfnw

[R136a1]

Seems to be a module of Equation:
https://securelist.com/blog/research/68 ... re-galaxy/

[Es07er1K]

Here are some samples from the Equation group.

[CloneRanger]

@ Xylitol & R136a1 & Es07er1K

Thanx for the nasties. I'll see which, if any, can penetrate my defences. I tried to give you all a thumbs up, but the board only let me give one !

[stevegs1821]

Has anyone been able to replicate, or directly observe, the HD Firmware modification (reprogramming)? Interested in steps and findings . . .

[R136a1]

@Es07er1K
Next time, please give credits when you upload samples which do not come from yourself.

@Admin
Can you rename the thread title to include the group's dubbed name "Equation", please. Thanks!

[asido]

Handle is created in In sub_415d50

Code: Select all

HANDLE hDevice = CreateFile("\\\\.\\NUL", 0xC0000000, 0, 0, 3, 0x80, 0);

DeviceIoControl is used to operate with handle returned by CreateFile in sub_413cb0.

Code: Select all

DeviceIoControl(hDevice, 0x85892400, 0, 0, &OutBuffer, 4, &BytesReturned, 0);

sub_4154d0 is a constructor of class which a created in sub_40ad9b through sub_40edd1 which gets pointer.

what is needed to do with equation files?

[oep_000]

You can read this article

GrayFish hooked DeviceIoContorl for Null.sys with win32k.sys vulnerability
and send IOCTL for WriteFile and CreateReg and ....
:D