In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.
The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps.
Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.
Lost In Translation
On April 14, 2017 TheShadowBrokers released a collection of files, containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products.
| Exploit Name | CVE | Targeted Service | IPS Signature Name | AV Signature Name | AV Signature Date |
|---|---|---|---|---|---|
| ETERNALROMANCE-1.3.0 | CVE-2017-0144 | Microsoft Windows SMBv1 Service | Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144) | Hacktool | 20170414.021 |
| ETERNALROMANCE-1.4.0 | CVE-2017-0145 | Microsoft Windows SMBv1 Service | Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) | Hacktool | 20170414.021 |
| ENTERNALSYNERGY | CVE-2017-0714 | Microsoft Windows SMBv3 Service | Sig ID: 30018 OS Attack: MSRPC Remote Management Interface Bind | Hacktool | 20170414.021 |
| ETERNALBLUE | CVE-2017-0143 | Microsoft Windows SMBv1 Service | Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) Sig ID: 22534 (System Infected: Malicious Payload Activity 9) Sig ID: 23737 (Attack: Shellcode Download Activity) Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution) Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt) | Hacktool | 20170414.021 |
| ETERNALCHAMPION | CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 | Microsoft Windows SMBv1 Service | Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2) | Hacktool | 20170414.021 |
| ECLIPSEDWING | CVE-2008-4250 | Micorosft Windows Server Service | Sig ID: 23179 (OS Attack: MSRPC Server Service RPC CVE-2008-4250) Sig ID: 23180 (OS Attack: MSRPC Server Service RPC CVE-2008-4250 2) | Hacktool | 20170414.020 |
| EDUCATEDSCHOLAR | CVE-2009-2526 | Microsoft Windows SMBv2 Service | Sig ID: 23497 (OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103) | Hacktool | 20170414.020 |
| EMERALDTHREAD | CVE-2010-2729 | Microsoft Windows Print Service | Sig ID: 23897 (Attack: Windows Spooler Service CVE-2010-2729) | Hacktool | 20170414.020 |
| ESKIMOROLL | CVE-2014-6324 | Microsoft Windows Kerberos KDC | No Signature Available | Hacktool | 20170414.021 |
| EASYBEE | CVE-2007-1675 | Mdaemon | Sig ID: 30015 (Attack: MDaemon WorldClient Attack) | Hacktool | 20170414.020 |
| ENGLISHMANDENTIST | CVE-2009-0099 based on SID | Microsoft Outlook Exchange Web Access | Sig ID: 30014 (Attack: MS Exchange Server RCE) | Hacktool | 20170414.020 |
| EXPLODINGCAN | CVE-2017-7269 | Microsoft Windows Server WebDav Service | Sig ID: 29071 (Web Attack: IIS Server CVE-2017-7269) | Hacktool | 20170414.021 |
| EMPHASISMINE-3.4.0 | CVE-2017-1274 | IBM Domino | No Signature Available | Hacktool | 20170414.020 |
| EWOKFRENZY-2.0.0 | CVE-2007-1675 | IBM Domino | Sig ID: 21710 HTTP MDaemon IMAP Server Auth BO (not available in SEP only DCS) | Hacktool | 20170414.021 |
Dont Forget Your Base
On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.
All coverage information is based on available virus definitions from June 20, 2017
Tools | AV coverage |
|---|---|
| CHARMHAMMER | Hacktool.Equation |
| CHARMPENGUIN | Hacktool.Equation |
| CHARMRAZOR | Hacktool.Equation |
| CONSTANTMOVE | Not Malicious |
| CRYPTTOOL | Not Malicious |
| CURSEBINGO | Hacktool.Equation |
| CURSEBONGO | Hacktool.Equation |
| CURSECHICKEN | Hacktool.Equation |
| CURSECLASH | Hacktool.Equation |
| CURSEDEVO | Hacktool.Equation |
| CURSEFIRE | Hacktool.Equation |
| CURSEFLOWER | Hacktool.Equation |
| CURSEGISMO | Hacktool.Equation |
| CURSEHAPPY | Hacktool.Equation |
| CURSEHELPER | Hacktool.Equation |
| CURSEHOLE | Hacktool.Equation |
| CURSEHUMMER | Hacktool.Equation |
| CURSEHYDRANT | Hacktool.Equation |
| CURSEJOKER | Hacktool.Equation |
| CURSEKETTLE | Hacktool.Equation |
| CURSEKILN | Hacktool.Equation |
| CURSELION | Hacktool.Equation |
| CURSEMAGIC | Hacktool.Equation |
| CURSENAG | Hacktool.Equation |
| CURSEQUAKE | Hacktool.Equation |
| CURSERAZOR | Hacktool.Equation |
| CURSEROOT | Hacktool.Equation |
| CURSESALSA | Hacktool.Equation |
| CURSESLEEPY | Hacktool |
| CURSETAILS | Hacktool.Equation |
| CURSETINGLE | Hacktool.Equation |
| CURSEWHAM | Hacktool.Equation |
| CURSEYO | Backdoor.Equation |
| CURSEZINGER | Hacktool.Equation |
| DAIRYFARM | Not Malicious |
| DEWDROP | Hacktool.Equation |
| DITTOCLASS | Not Malicious |
| DRAFTBAGGER | Not Malicious |
| DUBMOAT | Hacktool |
| EARLYSHOVEL | Linux.Valsheesy |
| EBBISLAND | Hacktool |
| EBBSSHAVE | Hacktool |
| ECHODOLPHIN | Not Malicious |
| EGGBARON | Not Malicious |
| ELATEDMONKEY | Trojan.Malscript |
| ELECTRICSLIDE | Trojan.Malscript Linux.Trojan |
| ELEGANTEAGLE | Trojan.Malscript Linux.Trojan |
| ELGINGAMBLE | Hacktool |
| ELIDESKEW | Not malicious |
| ENDLESSDONUT | Hacktool |
| ENEMYRUN | Hacktool |
| ENGLANDBOGY | Not malicious |
| ENSA | Not malicious |
| ENTERSEED | Hacktool |
| ENTRYMANOR | Not malicious |
| ENVISIONCOLLISION | Trojan.Malscript |
| EPICHERO | Linux.Cheepori |
| EXCELBERWICK | Not malicious |
| EXPITATEZEKE | Not malicious |
| EXTREMEPARR | Not malicious |
| JACKPOP | Trojan.Malscript |
| MAGICJACK | Linux.Magicjack |
| MYSTICTUNNELS | Hacktool |
| ORLEANSTRIDE | Hacktoo.Equation |
| POPTOP | Not malicious |
| PORK | Hacktool |
| SECONDDATE | Hacktool |
| SHENTYSDELIGHT | Hacktool |
| SICKLESTAR | Not malicious |
| SKIMCOUNTRY | Hacktool.Equation |
| SLYHERETIC | Hacktool.Equation |
| STOICSURGEON | Hacktool.Equation |
| STRIFEWORLD | Hacktool.Equation |
| SUAVEEYFUL | Hacktool |
| SUCTIONCHAR | Hacktool.Equation |
| VIOLETSPIRIT | Under Investigation |
| WATCHER | Hacktool.Equation |
| YELLOWSPIRIT | Not Malicious |
Changelog:
June 21: Updated "Dont Forget your base" coverage infromation