Analysis of the Equation Group’s EQUATION DRUG Platform—Equation Group Series Analysis Report – Part IV

May 27, 2026 By Antiy PTA Team Security Response -

1.Release Notes for This Version

Building upon its previous report, Antiy has added a modular building block diagram illustrating the equations that organize host operations. This diagram initially demonstrates the assembly of modules that break down host intelligence operations into “atomic” components. In this version, Antiy CERT has also refined the analysis of some modules, although the current analysis only covers a small portion of these modules.

A few days ago, Antiy CERT released this incomplete analysis result, tentatively termed an “outline”. This wasn’t because we hoped for a “quick fix” and hastily released some superficial progress, but rather because we needed more suggestions and criticism. Fortunately, after the previous version was released, we received candid and sharp criticism from industry experts, making Antiy realize that when facing this set of attack modules from 2007-2008, the analysis team once again experienced the same confusion as when analyzing “Flame” (although Antiy had once thought it had a clearer understanding than then). These complex modules unfold like a set of puzzle pieces, each with a meaningful pattern, but if you follow them one by one, these patterns form a huge maze. The maze is confusing not because it’s full of dead ends, but because it seems to have exits everywhere, yet none of the pieces provide sufficient clues for the entrant. At this point, the greatest expectation is not just a pen to mark the places we’ve been, but to sprout wings and take flight, overlooking the entire maze. Of course, this is a self-expectation to improve analytical methodology. Although we are currently without wings, we may be able to develop a bit of intuition.

Antiy’s work on reconstructing the data is still in its early stages, but they are somewhat gratified to be able to release a new version of the analysis report before the Chinese New Year. Cybersecurity is an industry that demands constant vigilance and diligence. Our analysis will continue, and even amidst fireworks and firecrackers, we must remain vigilant, keeping a close eye on disassembled code and threat dynamics.

Thank you to our industry experts and colleagues for your attention and support to Antiy, and thank you to Antiy customers for your trust in Antiy products and services. Happy Chinese New Year to everyone!

2. Background

For the Equation Group, Antiy has published three analysis reports in the past two years: In the report “A Trojan That Modifies Hard Drive Firmware: Exploring the Attack Components of the EQUATION Group”[1], Antiy analyzed multiple modules and verified the mechanism by which they write to the hard disk firmware; In the report “Analysis of Encryption Techniques in Some Components of the Equation”[2], the encryption methods used in the attack components were cracked; In the report “From “Equation” to “Equation Group”—An Analysis of the Cross-Platform Capabilities of the EQUATION Hacking Group’s Advanced Malware”[3], Antiy exclusively provided sample analysis of Equation on Linux and Solaris systems, which is also the first public analysis in the industry to officially confirm the existence of these “evil spirits”.

Just like developing anti-APT products, APT analysis requires a solid foundation of accumulated knowledge; Rome wasn’t built in a day. For a super-attack group as vast and elusive as Equation, the specific analysis work Antiy has conducted in the past has been akin to “the blind men and the elephant”. Once elusive clues fall within a scope Antiy has already explored, we can quickly release our accumulated findings; however, when facing an area that has not been fully investigated, it requires more time to conduct the analysis. Therefore, compared to the three previous in-depth reports on Equation that Antiy has released, the current version of this report remains somewhat rushed. Consequently, Antiy insists on referring to it as an “outline”, aiming to spark further discussion and invite more fellow teams to join the analysis effort, so as to further reveal the full picture.

The analysis presented here revolves around the 61 files in the Equation Group component released by the “Shadow Brokers” on January 12, 2017[4]. The analysis revealed that the 61 files released contained the Equation Group component and some plugins of the DanderSpritZ (RAT) tool. DanderSpritZ is one of the spy tools of the NSA (National Security Agency), and a large number of DanderSpritZ plugin names were also included in the Windows attack tool [5] released by the “Shadow Brokers” on January 7.

EquationDrug component was a complex module that existed for nearly 10 years before being upgraded and replaced by GrayFish. The evolution from EquationDrug to GrayFish represents a platform-level malware system with plugin installation and uninstallation capabilities. In the files released by the “Shadow Brokers”, Antiy CERT discovered even more plugins within the EquationDrug component. Analysis revealed that these plugins were older versions than those previously analyzed by Antiy, but contained modules that had not been detected by the industry before.

3.Timeline of Equation Clues Exposure and Analysis Results

Starting in 2013, Antiy gradually discovered an attack organization with full-platform payload attack capabilities through sample analysis, and progressively correlated and analyzed samples from multiple platforms. During this process, Antiy sensed the existence of a large, almost invisible, super-attack organization, but failed to uncover its attack background.

In February 2015, Kaspersky Lab exposed an attack group called Equation Group[6], which attracted global attention. Kaspersky believed that the group had been active for nearly 20 years and was probably one of the most sophisticated APT attack groups in the world. Kaspersky also believed that the group was the manipulator behind Stuxnet and Flame. After comparing clues, Antiy found that this was the super attack group that had been tracking. Antiy decided to publish its principles for operating hard disk firmware[1] and some of its encryption algorithms that had been cracked[2] through a report, which formed the first two reports of Antiy’s series of analysis on Equation Group.

In March 2015, Kaspersky Lab released an analysis of the Equation Drug component or platform[7]. Equation Drug is one of the main spy components or platforms used by the Equation Group, dating back to 2001 and still in use today. The architecture of this component or platform is similar to a miniature operating system with kernel mode and user mode, interacting through a custom interface. The component or platform includes drivers, a platform kernel (coordinator), and several plugins, some of which are equipped with unique IDs and version numbers to define related functions, etc.

In August 2016, an individual (or organization) calling itself “Shadow Brokers” claimed to have hacked into the cyber espionage organization Equation [8] and publicly “auctioned” the attack tools it possessed from Equation for 1 million bitcoins (worth approximately $560 million at the time). Equation was believed to have ties to the NSA. To prove the authenticity of the successful intrusion, “Shadow Brokers” encrypted and released these attack tools on the open-source project hosting platform GitHub on the 13th of that month, and intentionally released a small number of the attack tools in plaintext.

In August 2016, Kaspersky Lab confirmed that the exposed data was related to Equation Group by comparing and verifying the data exposed by Equation Group and Shadow Brokers [9]. In October 2016, Shadow Brokers launched another auction of attack tools[10] and claimed that the Equation Group attack tools released on GitHub accounted for only 60% of the tools they possessed.

In November 2016, the Shadow Brokers released a list of compromised servers[11] and claimed that the attackers were linked to the NSA. The list showed that the systems were compromised between 2000 and 2010, and the compromised IPs and domains were distributed in 49 countries, mainly in the Asia-Pacific region. The affected countries included China, Japan, South Korea, Spain, Germany, India and others. Antiy imported this data into the Antiy Situation Awareness and Early Warning Platform, resulting in the visualization shown below.

The servers mentioned in the Shadow Broker’s revelation may be Linux, FreeBSD and Solaris. However, at two technical conferences in the first half of 2016, Antiy clearly stated that Equation had samples for multiple system platforms, including Linux and Solaris. Antiy finally released the analysis report of some sample payloads of Equation for Linux and Solaris on November 5, 2016 (Antiy Equation Series Report No.3) [3].

Figure 3-1 Antiy Situation Awareness and Monitoring and Early Warning Platform: Visualized Reconstruction of the Equation Group’s Intrusions into Global Internet Nodes

Antiy analysis team sorted out the above information about Equation and compiled a timeline of Equation’s exposure and related analysis.

Figure 3-2 Timeline of the Disclosure of Information Related to the Equation Incident and Vendor Analysis

4.DanderSpritz Attack Platform

Antiy’s analysis of the leaked documents and previous Equation materials revealed a connection between Equation’s “EquationDrug” platform and “DanderSpritz” mentioned in the leaked documents:

1. The leaked msgkd.ex_, msgki.ex_, msgks.ex_, and msgku.ex_ are GROK plugins, which are plugins or modules of “DanderSpritz”. This plugin has also appeared on the “EquationDrug” platform. Analysis revealed that the leaked GROK plugins are older versions.

2. One piece of data in the various DLL plugins exposed this time is the plugin ID. The plugin IDs all start with 0x79, such as 0x79A4 and 0x79D8. Similarly, the plugins on the “EquationDrug” platform also have built-in IDs. The plugin IDs on the “EquationDrug” platform start with 0x80, and the data structures of the exported function parameters of the plugins on the two platforms are also similar.

“EquationDrug” attack platform used by the Equation Group and “DanderSpritz” use the same architectural design. They may be different version names, or at least come from the same development team or a team with highly shared resources.

Figure 4‑1 Equation Group’s DanderSpritz Attack Platform

Figure 4‑2 Screenshots of the “Danderspritz” Attack Platform Leaked by the “Shadow Broker”

The files exposed by the “Shadow Broker” are mostly attack plugins for the “DanderSpritz” platform. These include a file list and 61 individual plugin files. The released file list hashes and screenshots reveal a rich and standardized array of attack tools and plugins, including remote control, vulnerability exploits, backdoors, and more. The DanderSpritz_All_Find.txt file alone contains over 7,000 lines, with hundreds of plugins listed. Analysis of the 61 leaked files suggests they fall into two categories: test versions and release versions. The test versions contain plaintext information without encryption and use standard function calls. Release versions lack this information and use dynamic function calls for greater stealth. Timestamps show the test versions were generated approximately 5 seconds earlier than the release versions. Since test versions are not intended for actual attacks, this further confirms that these files were stolen from development and storage environments, rather than captured during an attack.

Table 4‑1 List of Plugin Features for Leaking Physical Files

Test Version	Release Version	Function
	DoubleFeatureDll.dll.unfinalized	This module is used to create thread execution functions, with the address passed in by the caller. It also includes internal algorithms such as SHA256, AES, and CRC32.
DuplicateToken_Lp.dll	DuplicateToken_Implant.dll	This module is used to obtain a token and perform operations.
	DXGHLP16.SYS	This module is used for network sniffing. Monitoring Ethernet and VPN traffic For Windows 9x systems.
EventLogEdit_Lp.dll	EventLogEdit_Implant.dll	This module allows editing of event log files.
GetAdmin_Lp.dll	GetAdmin_Implant.dll	This module is used to obtain administrator privileges and perform operations.
	kill_Implant.dll	This module terminates a process. The input parameter includes the ID of the process to be terminated. This function is implemented using common system functions such as OpenProcess and TerminateProcess.
	kill_Implant9x.dll	This module has the same functionality as kill_Implant.dll, but it is a version for 64 -bit systems.
LSADUMP_Lp.dll	LSADUMP_Implant.dll	This module can be used to read LSA credentials and perform different operations depending on the input parameters.
modifyAudit_Lp.dll	modifyAudit_Implant.dll	This module is used to modify the audit configuration.
modifyAuthentication_Lp.dll	modifyAuthentication_Implant.dll	This module is used to modify permission authentication.
ModifyGroup_Lp.dll	ModifyGroup_Implant.dll	This module is used to modify user group permissions.
ModifyPrivilege_Lp.dll	ModifyPrivilege_Implant.dll	This module is used to modify user permissions.
	msgkd.ex_	Release the GROK keyboard / clipboard recorder driver.
	msgki.ex_
	msgks.ex_
	msgku.ex_
	mstcp32.sys	This module is used for network sniffing. Monitoring Ethernet and VPN traffic.
nethide_Lp.dll	nethide_Implant.dll	This module is used to hide network connections.
	ntevt.sys	This module is related to event logging drivers.
	ntevtx64.sys	This module has the same functionality as ntevt.sys, but it is a version for 64 -bit systems.
PortMap_Lp.dll	PortMap_Implant.dll	This module performs port mapping.
ProcessHide_Lp.dll	ProcessHide_Implant.dll	This module can hide processes, restore hidden processes, and perform different operations depending on the input parameters.
	processinfo_Implant.dll	This module can be used to obtain process information.
	processinfo_Implant9x.dll	This module has the same functionality as processinfo_Implant.dll, but it is a version for 64 -bit systems.
ProcessOptions_Lp.dll	ProcessOptions_Implant.dll	This module is used to set process execution attributes.
pwdump_Lp.dll	pwdump_Implant.dll	This module can be used to read passwords from the system and perform different operations depending on the input parameters.
RunAsChild_Lp.dll	RunAsChild_Implant.dll	This module is used to create child processes and perform operations.
	tdi6.sys	This module is used for network sniffing. Monitoring Ethernet and VPN traffic.
PassFreely_LP.dll	PassFreely_Implant.dll	Under analysis
…		Under analysis

Table 4‑2 Prediction on Plugin Functionality Based on Leaked Filenames

Test version	Release version	Prediction Function
Users_Lp.dll	Users_Implant.dll	View current user list
GroupUsers_Lp.dll	GroupUsers_Implant.dll	Modify the group of the specified user
	nc.exe	nc network tools
ProcessCheck_Lp.dll	ProcessCheck_Implant.dll	Detect specified process
machineinfo_LP.dll	machineinfo_Implant.dll	Obtain host-related information
IpConfig_LP.dll	IpConfig_Implant.dll	IP Information Acquisition
FileAttribs_LP.dll	FileAttribs_Implant.dll	Get file attributes
NetstatMon_LP.dll	NetstatMon_Implant.dll	Network status acquisition
Dns_LP.dll	Dns_Implant.dll	DNS settings
language_LP.dll	language_Implant.dll	Language information acquisition
Environment_LP.dll	Environment_Implant.dll	Obtaining environment variable information
CheckMouse_LP.dll	CheckMouse_Implant.dll	Mouse-related detection
CheckKeyboard_LP.dll	CheckKeyboard_Implant.dll	Keyboard-related detection
NetBios_LP.dll	NetBios_Implant.dll	View via network sharing
NetGetDCName_LP.dll	NetGetDCName_Implant.dll	Network hostname retrieval
Scheduler_LP.dll	Scheduler_Implant.dll	Scheduled task settings
AdUser _LP.dll	AdUser_Implant.dll	Add account
ArpScan_LP.dll	ArpScan_Implant.dll	ARP scan
PacketRedirect_LP.dll	PacketRedirect_Implant.dll	Packet redirection
PacketScan_LP.dll	PacketScan_Implant.dll	Packet Scan
RegKeys_LP.dll	RegKeys_Implant.dll	Registry operations
RegQuery_LP.dll	RegQuery_Implant.dll	Retrieving registry key values
procMon_LP.dll	procMon_Implant.dll	Process monitoring
RemoteExecute_LP.dll	RemoteExecute_Implant.dll	Remote executable file

Antiy CERT sorted out the functions and file lists of some entity files analyzed, and combined with the previous analysis of Equation plugins by Kaspersky[7] and Antiy[1], sorted out the possible combinations of these functional plugins during the attack process, and drew a “Building Block Diagram of Equation Organization Host Job Modules”. It can be seen from the figure that the attacker completes the corresponding functions by combining these plugins. These plugins reflect the following architectural style – instead of writing a single Trojan with highly complex functions, the functions are decomposed into highly independent small modules. The granularity of this decomposition is almost to the level of “atomic”. Even simple operations such as obtaining system information are treated as independent small modules, such as obtaining environment variables, language sets, network status, etc. This will ensure that the system job can be fully deployed as needed, thereby maximizing the caution and silence of the job. From the perspective of escaping and resisting the host security environment, the compilation time of this batch of plugins is 2007. From the perspective of the development of anti-virus technology, it is the stage when the host active defense technology has entered maturity. Proactive defense technologies generally employ a behavior-weighted approach to determine the nature of unknown files. However, the modules that perform these “atomic” operations do not accumulate to a threshold. These individual functional fragments were difficult to detect not only under the circumstances at the time, but also from a modern dynamic and static detection perspective. Each individual functional fragment does not possess any obvious malicious function; only when the central scheduling platform coordinates the use of various functional plugins can they combine to create various operational capabilities. This operational method also makes it difficult for security vendors to obtain the complete modules. Without an effective loader, these modules are difficult to load in a sandbox, making effective behavioral analysis extremely difficult. They are even more difficult to analyze than Trojans that probe virtual environments and then refuse to execute.

Judging from the filenames, the functions of these modules are planned very clearly. Of course, in actual operation, these DLLs may appear in other forms, including possibly using stolen digital certificates for signing. In this case, the Version information of some driver files is expected to be customized with the corresponding digital certificate information, and the filenames used may be consistent with the style of the system or application it is impersonating, or use techniques similar to those used in Stuxnet [12], Duqu[13] and Flame [14] to impersonate pre-compiled or temporary files.

Table 4‑3 Digital Signatures Used in Samples from the A2PT Series and File Naming Conventions in the Scenarios

A2PT Incident	Used Signature Information	Naming Rules
Stuxnet	JMicron Technology Corp	Counterfeit system files such as MRxCls.sys, S7HKIMDX.DLL, and comspol32.ocx; disguised as OEM or MDM-precompiled PNF files following Windows naming conventions; and disguised as temporary files.
Stuxnet	Realtek Semiconductor Corp
Flame	Asia Trust Digital Signature Test Certificate	Impersonating system filenames, such as: MSSECMGR.OCX, icsvntu32.ocx, FRAGWIZ.OCX
Duqu	HON HAI PRECISION INDUSTRY CO. LTD	Impersonating system filenames, such as: adpu321.sys, igdkmd16b.sys, iaStor451.sys
Duqu	C-Media Electronics Incorporation
Equation	Not yet discovered	It spoofs system filenames, such as mstcp32.sys, DXGHLP16.SYS, tdi6.sys, and disguises itself as a .dat file.

Of course, these modules may also be deployed in a non-file-on-the-ground manner, running directly in memory without corresponding file entities.

Figure 4-3 Block Diagram of the Equation Organization Host Operation Module

“DanderSpritz” was exposed during the “Prism” incident, and DNT’s “DanderSpritz” was also mentioned in the “FIREWALK” [16] tool in ANT. DNT and ANT are both network organizations belonging to the NSA. Similar attack equipment can be used in a variety of operational scenarios. By collecting and injecting network traffic through the “FIREWALK” [16] tool, the victim host can establish a connection with the attacker’s remote control center, making remote control a close-range tactical operation. For example, by hijacking the logistics chain or inserting or replacing equipment on internal nodes, as long as the remote control tool is activated, an attack method combining close-range control and manual operation can be achieved.

Figure 4-4 FIREWALK, an NSA-ANT Cyberweapon Exposed by Snowden (Translated by the Antiy Public Interest Translation Group)

The NSA-ANT cyber weapon was first exposed during the Snowden revelations in 2013. It contains 48 attack weapons. As the revelations unfolded, more and more media outlets and organizations exposed it. Based on all the currently exposed information and technical analysis, Antiy Security’s analysis engineers have attempted to create a preliminary map of the relevant attack equipment.

Figure 4–5 NSA-TAO Attack System (Under Development)

5.Analysis of Selected Components and Plugins (Work in Progress)

After a period of follow-up analysis, Antiy CERT discovered that the exposed plugins have modularity and anti-detection features. Based on the current analysis, Antiy CERT summarized three characteristics of these attack plugins:

1. None of the plugins directly execute malicious behavior within the DllMain function. When detecting DLL-based PE files, sandbox-based threat detection systems typically call the Windows API `LoadLibrary()` to dynamically load the target object, execute its `DllMain` function, and trigger its dynamic behavior. However, for these Equation Group plugins, since the `DllMain` function does not exhibit malicious behavior (as shown in Figure 5-1), they are easily classified as non-malicious programs by sandboxes.

Figure 5-1 The DllMain Function Does Not Contain Any Malicious Functionality

2. None of the export functions in these plugins directly implement malicious functionality. Each of these equation plugins provides only four functions, exported by number (rather than by name). Regarding their functionality, the first export function is responsible for receiving a callback function pointer or parameters passed by the caller via a specific data structure (as shown in Figure 5-2); the second exported function is responsible for releasing allocated resources when necessary; the third exported function returns a pointer to its core functional function based on the call parameters; and the fourth exported function is responsible for populating the data structure provided by the caller and passing the plugin version information to the caller. Except for the fourth exported function—which may trigger exceptions due to accessing a null pointer because it does not perform strict parameter validation—none of the plugins’ exported functions directly implement malicious functionality. Consequently, a sandbox-based threat detection system cannot trigger malicious behavior by calling these exported functions, leading it to classify the program as non-malicious.

Figure 5-2 Callback Function Pointers or Parameters in the i1 Function

3. Each plugin implements only the most basic capabilities. These Equation attack plugins only perform the most basic functions. Even if analysts understand how to call the plugins and pass the correct parameters, they can only execute the most basic program functions and obtain intermediate results (such as process name, module name, and user password) in the callback function. Unless the analyst is highly experienced, it is difficult to distinguish these program functions from those of a normal program. Besides considering factors such as framework scalability and ease of feature tailoring, the Equation attack group likely designed the plugins this way to bypass the static detection mechanisms of certain antivirus engines.

5.1 Processinfo Plugin Traverses the Process Module

Due to the complexity of these plugins, Antiy CERT selected relatively smaller files for analysis. Analysis revealed that these files were used to traverse modules within a specified process and invoke pre-defined callback functions from higher-level modules.

5.1.1 Sample Labels

Table 5‑1 Sample Labels

Virus Name	Trojan/Win32.EquationDrug
Original Filename	processinfo_Implant9x.dll
MD5	6042EA9707316784FBC77A8B450E0991
Processor Architecture	X86-32
File Size	8 KB (8,192 bytes )
File Format	BinExecute/Microsoft.DLL[:X86]
Timestamp	45A40EC7->2007-01-10 05:53:11

5.1.2 Main Functions

This plugin provides four functions exported based on ordinal numbers.

Table 5‑2 Main Functions

Number	Function
1	Set up a callback function for the upper-level module and create a mutex.
2	Release resources
3	Returns the address of the core function.
4	Get plugin version information

Figure 5‑3 Export Function 1: Setting the Callback Function for the Parent Module

Figure 5-4 Return to the Address of the Core Function

Figure 5-5 Export Function 4: Retrieve Plugin Version Information

Figure 5–6 Iterate Through Specified Processes; the Default Is the Current Process

Figure 5–7 Iterate Through the Modules of the Specified Process and Calculate the SHA-1 Hash of the Corresponding Files

5.2 kill_Implant Plugin Process Killing Module

This module is another relatively small file. Antiy CERT’s analysis revealed that the plugin’s main function is to terminate the corresponding process based on the passed-in process ID.

5.2.1 Sample Labels

Table 5‑3 Sample Labels

Virus Name	Trojan/Win32.EquationDrug
Original Filename	kill_Implant.dll
MD5	BDD2B462E050EF2FA7778526EA4A2A58
Processor Architecture	X86-32
File Size	21 KB (21,504 bytes )
File Format	BinExecute/Microsoft.DLL[:X86]
Timestamp	45A40616->2007-01-10 05:16:06

5.2.2 Main Functions

The module caller passes in the process ID, the module uses the OpenProcess function to obtain the handle, and then uses the TerminateProcess function to terminate the corresponding process.

Figure 5–8 Terminating Process

5.3 GROK Keyboard and Clipboard Recorder Driver

In addition to DLL plugins, the leaked files also include several EXE files. Antiy CERT discovered that some of these EXE files are identical to the GROK component previously found in the Equation Group platform. The version exposed in this leak is 1.2.0.1, and all of them can decrypt and deploy the keylogger and clipboard monitor driver msrtdv.sys from the resource section.

5.3.1 Sample Labels

Table 5‑4 Sample Labels

Virus Name	Trojan/Win32.EquationDrug
Original Filename	msrtdv.sys
MD5	6A4461AF87371B89D240A34846A7BC64
Processor Architecture	X86-32
File Size	36.3 KB (37,248 bytes )
File Format	BinExecute/Microsoft.SYS[:X86]
Timestamp	0x4B7F1480—>2010-02-20 06:45:20

This malware sample is a keylogger and clipboard monitoring tool. Similar malware has been mentioned in previous competitor reports, and we will compare their similarities below.

5.3.2 Version Information

The sample contains version information: file version 5.1.1364.6430, source file name msrtdv.sys, and file description MSRTdv interface driver. The file version is lower than the previously disclosed version 5.3.1365.2180. The difference between the source file name and the file description lies in the swapped positions of the letters “d” and “v”: one is “mstrdv.sys”, and the other is “msrtvd.sys”.

Figure 5–9 Version Information for This Leaked Version and the Previously Disclosed Version

5.3.3 Main Functions

The two different versions of the sample have the same main function: they collect data by creating a dedicated process for the dump program, and compress the results to the file “%TEMP%\tm154o.da” every 30 minutes. The previously exposed version contained multiple IoControlCodes, each corresponding to a different function.

Figure 5–10 Key Functional Code from Previously Released Versions

Although the IoControlCode in the leaked samples is only 0x22002C, some key features are still present, and their similarities can be seen in the decompiled code.

Figure 5–11 Key Functional Code from Previously Released Versions

Figure 5–12 Key Functional Code from the Leaked Version

The above analysis and comparison reveal that the leaked malware sample is a lower version, with version information indicating a version inferior to those previously exposed by Kaspersky and Antiy, and its functionality is also weaker than related versions. The version number of GROK in the file DanderSpritz_All_Find.txt leaked by Shadow Brokers clearly confirms this; Shadow Brokers only released a lower version of the GROK component. However, the richness of information in these files has opened a rare crack in the “millennial dark room”.

Figure 5–13 Different Version Numbers of the GROK Component

6.Summary

The 61 Equation Group documents released by the “Shadow Brokers” have been of great assistance to cybersecurity researchers worldwide in analyzing and clarifying the composition and architecture of the Equation-related attack platforms. In particular, the ability to examine debug versions of their malicious code—something virtually unthinkable in the context of conventional high-profile cyberattack groups—provides a rare opportunity to observe the Equation Group from the “inside”. After initially collating and analyzing the disclosed information, Antiy CERT has identified, analyzed, and organized further details regarding this attack platform, including hundreds of attack plugins and the “DanderSpritz” attack platform.

Antiy CERT determined that some components were similar to the previously exposed GROK components, and these components were all early, lower versions. Furthermore, Antiy CERT’s analysis also indicated that “DanderSpritz” and Equation Drug used the same components and architectural design. “DanderSpritz” may be the Equation Drug attack platform used by the Equation Group. Its “atomic” module design reveals the sheer size and sophistication of the Equation Group’s support system, the meticulousness of its operations, and its exceptionally rich experience in bypassing security defenses during weapons development and deployment.

Five years ago, during Antiy’s marathon analysis of the Flame worm, an expert warned us against “missing the forest for the trees”. This prompted Antiy’s security engineers to deeply reflect on the limitations of traditional analysis engineers who “start their vision from the entry point”, and they began to try to establish an analytical perspective that sees the macrocosm from the microcosm. Through this analysis, Antiy CERT’s security engineers found themselves still struggling in a maze—perhaps this is the norm for security analysis teams when facing super attackers.

Over the past four years, Antiy’s continuous tracking and analysis of the Equation Group has been an invaluable experience in understanding the highest level of attackers (i.e., A2PT – advanced APTs). In-depth research into these high-cost, advanced-concept-driven attackers is crucial for improving and enhancing the defense capabilities of Antiy’s advanced threat detection and defense products, such as PTD, IEP, and PTA. Antiy is also deeply considering and exploring large-scale situational awareness systems for various industries and regions, aiming to achieve effective capabilities “centered on asset protectio”n, especially the ability to identify key threats and advanced attackers amidst massive events. However, dealing with A2PT attackers, whether it’s effectively improving defenses or conducting more comprehensive and in-depth systemic analysis, cannot be undertaken independently by a single security company. It requires more collaborative and relay-style analysis, rather than simply reinventing the wheel. Based on this shared understanding, at the recent 4th Antiy Cybersecurity Winter Training Camp, Antiy and other security companies, including 360 Enterprise Security, introduced some of their attempts at mutual recognition of analytical results among capability-based security vendors to some participating experts. Only when Chinese institutional users and capable security vendors form a positive and interactive system can they better defend against threats from all sides.

We are vigilant, but not fearful. For a defensive battle, in addition to solid architecture, defense, and analysis, an unwavering belief in victory is the most important prerequisite.

What is invisible is not necessarily without a trace; Antiy tracks the traces and renders them in images.