Analysis on the Encryption Techniques of EQUATION Components
First Edition: April 16, 2015
Second Update Version: April 18, 2015
Antiy analysis team has started the analysis of “EQUATION” since February 2015. After the report of the first article, the subsequent analysis did not make more progress or even highlight. Based on this situation, we decided to try to analyze the encryption techniques of part of the components to facilitate follow-up work at first. This time, we will share related work and hope to get suggestions of this industry.
DoubleFantasy is the leading component which is used for environmental certification. The other institutions assume that the active time of this component is from 2004 to 2012, which was replaced by TripleFantasy later. DoubleFantasy applies this encryption techniques to resources, registry storage and network communication.
Resource and decryption algorithm: the resource of DoubleFantasy is the cipher text, using the xor algorithm with two keys, that is: 0x3C（xor 0x3C）and 0x7F（xor 0x7F）displayed as follows:
The registry storage configuration and network communication encryption algorithm:
The registry storage configuration and network communication encryption algorithms in DoubleFantasy components both are symmetric encryption algorithm RC6. Component code can generate a key with 0 x44* length which is used later and encrypt some configuration data and network communication. As it is a symmetric encryption algorithm, the methods of encryption and decryption are the same. DoubleFantasy do not use default keys to ensure the encryption keys of different targets differ from each other.
1. Decryption function parameters
Four parameters of the five parameters in total:
Lpdata1; cipher text address
Lpdata2; Decrypted plaintext address
Length; cipher text length
Lpkey; key address
2. Analysis of key structure
3. Methods of decryption
1) Calculate the secondary key according to the key (secondary key length is 16 bytes);
2) Put the first 16 of cipher text and every byte in secondary key for xor algorithm to get a plaintext;
3) Replace the calculated secondary key of k45 – k48 in key in order, 16 bytes totally;
4) Recalculate the next key, and then decrypt the back16 bytes;
5) Loop until the length of cipher text without deception less than 16 bytes;
6) The number of revised signs is the same as the byte of the rest of cipher;
7) Continue to calculate next key and update it, decrypt byte one by one;
4. Calculation method of secondary key
- 1) Secondary key has 16 bytes in total and 4 bytes makes a parameter, shown in following figure:Secondary key calculation code table:2）Calculation method of secondary key
- a) R2=K1+K46；R4=K2+K48
- b) (L1+L1+1)*L1=M1；(L2+L2+1)*L2=M2
- c) M1moves five spaces on left and get M1; M2 moves five spaces on left and get M2;
- d) Put M1and L3 for xor algorithm; put M2 and L4 for xor algorithm;
- e) Take the lower 8 of M1 and M2 respectively, namely: N1and N2;
- f) M1move N2 spaces on left and get Z1; M2 move N1 spaces on left and get Z2; g) write Z1+K3 to the corresponding address of L3
- h) Write Z2+K4 to the corresponding address of L4
- i) Loop step 2 to 8 four times; the subscript of L adds 3 each time, the subscript of K adds 2 each time;
- j) Loop step 2 to 9 five times, the subscript of L maintains and that of K adds backward in order;
- k) K43+R1=R1;K44+R3=R3
This encryption algorithm makes the analysis of the security researchers more difficult. As there is no default key, the researchers are unable to decrypt the encrypted data unless they had complete data stream.
Equation Drug Component
EquationDrug, a complicated attacking component, is one important module in the leading verification module of Fanny/Fantasy series, and offers the ability to accomplish the tasks on the related information upload and subsequent components download.
Resource Encryption-decryption Algorithm ：Applying XOR /and shift mixing way.
The following shows the data obtained in the resource and the decryption operation to get several strings.
In the msnadt.exe module from EquationDrug, we observe that most encryption methods are the shift XOR operation to release the related decryption operations of the executable procedure. The following figure shows the main decryption content.
GrayFish component is one of the most complicated components used by Equation Group, relying on the registry to perform the block storage, and completing the no-file carrier loading with the help of Bootkit. The encryption technology is also widely used in its resource and configuration.
Resource Encryption-decryption Algorithm：
- After GrayFish restored back to the executive body, the first 4 bytes of its resource section is the decryption keys.
- X =0xDD483B8F – 0x6033A96D *key
- Byte-by-byte reads the following data to XOR with X
Applying RtlCompressBuffer to fix encryption data will get the plain text.
GrayFish’s Resource Decryption Code
Configuration data decryption algorithm：
- The key comparison table is set at offset 0x0042010C.
- To read data from the key comparison table based on the hexadecimal numbers of the ciphertext as the offset.
- Byte-by-byte reads and splices together to be the clear data.
The GrayFish configuration string decryption algorithm and the key comparison table
With the accomplishment of “Trojan horse modifying the hard disk firmware —— Equation Group attacking components”, we make some limited progress and obtain some research opinions. Despite the weak ability on the encryption algorithm, it benefits to overcome obstacles for the following analysis with the help of this arrangement way.
For security researchers and users, Equation Group is undoubtedly a formidable opponent. Despite the limited resources, never given up is perhaps even more important for us.
2. Equation: The Death Star of Malware Galaxy
3. A Fanny Equation: “I am your father, Stuxnet”
4. Equation Group: from Houston with love
Appendix 1: About Antiy Labs
Antiy Labs is a professional next-generation security-testing engine R&D enterprise. Antiy’s engines provide the ability to detect various viruses and malware for network security products and mobile devices. They are used by more than ten well known security vendors. Antiy’s engines are embedded in tens of thousands of firewalls and tens of millions of mobile phones all over the world. Antiy Labs is awarded the “Best Protection” prize by AV-TEST in 2013. Based on engines, sandboxes and background systems, Antiy Labs will continue to provide traffic-based anti-APT solutions for enterprises.
For more information about antivirus engines, please refer to:： http://www.antiy.com（Chinese）https://www.antiy.net（English） For more information about ant-APT products, please refer to: http://www.antiy.cn