A report released today dives deep into technical aspects of a Linux backdoor now tracked as Bvp47 that is linked to the Equation Group, the advanced persistent threat actor tied to the U.S. National Security Agency.
Bvp47 survived until today almost undetected, despite being submitted to the Virus Total antivirus database for the first time close to a decade ago, in late 2013.
Until this morning, only one antivirus engine on Virus Total detected the Bvp47 sample. As the report spread in the infosec community, detection started to improve, being flagged by six engines at the moment of writing.
The Advanced Cyber Security Research team at Pangu Lab, a Chinese cybersecurity company, says that it found the elusive malware in 2013, during a forensic investigation of a host in a key domestic department.
The Bvp47 sample obtained from the forensic investigation proved to be an advanced backdoor for Linux with a remote control function protected through the RSA asymmetric cryptography algorithm, which requires a private key to enable.
They found the private key in the leaks published by the Shadow Brokers hacker group between 2016-2017, which contained hacking tools and zero-day exploits used by NSAs cyberattack team, the Equation Group.
Some components in the Shadow Brokers leaks were integrated into the Bvp47 framework - dewdrop and solutionchar_agents - indicating that the implant covered Unix-based operating systems like mainstream Linux distributions, Junipers JunOS, FreeBSD, and Solaris.
Apart from Pangu Lab attributing the Bvp47 malware to the Equation Group, automated analysis of the backdoor also shows similarities with another samplefrom the same actor.
Kasperskys Threat Attribution Engine (KTAE) shows that 34 out of 483 strings match those from another Equation-related sample for Solaris SPARC systems, which had a 30% similarity with yet another Equation malwaresubmitted to Virus Total in 2018 and posted by threat intel researcher Deresz on January 24, 2022.
Costin Raiu, director of Global Research and Analysis Team at Kaspersky, told BleepingComputer that Bvp47s code-level similarities match a single sample in the companys current malware collection.
This indicates that the malware was not used extensively, as it usually happens with hacking tools from high-level threat actors, who use them in highly targeted attacks.
In the case of the Bvp47 Linux backdoor, Pangu Lab researchers say that it was used on targets in the telecom, military, higher-education, economic, and science sectors.
They note that the malware hit more than 287 organizations in 45 countries and went largely undetected for over 10 years.
Pangu Labs incident analysis involved three servers, one being the target of an external attack and two other internal machines - an email server and a business server.
According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload.
At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks - Pangu Lab
The business server then connected to the email machine to download additional files, including the Powershell script and the encrypted data of the second stage.
An HTTP server is started on one of the two compromised machines, serving two HTML files to the other. One of the files was a base64-encoded PowerShell script that downloads index.htm, which contains asymmetrically encrypted data.
A connection between the two internal machines is used to communicate encrypted data via its own protocol, Pangu Lab researchers say in their report.
The researchers were able to restore the communication between the servers and summarized it into the following steps, where machine A is the external system and V1/V2 are the email and business server, respectively:
Referring to the above communication technology between the three servers, the researchers assess that the backdoor is the creation of an organization with strong technical capabilities.
Go here to read the rest:
NSA-linked Bvp47 Linux backdoor widely undetected for 10 years - BleepingComputer
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- USA: NSA leaker Snowden is a hero, say Washington protesters - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- The Mises View: Our NSA Economy | Mark Thornton - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA WHISTLEBLOWER - TOM DRAKE - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Rucka Rucka Ali Blurred Lines Parody Obama Been Watchin' NSA - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Umfrage: NSA-Spionage und die Bundesregierung | Politik direkt - So ticken die Deutschen - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA TARGETED OBAMA, CONGRESS, SUPREME COURT, & THEIR SPOUSES, CHILDREN - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Rand Paul My Reaction To Judge Ruling NSA Spying On Americans Illegal Is He's Exactly Right - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (5/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Dick Cheney Gets Awkward On Fox & Friends Over NSA Spying - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- February 2014 Breaking News Barack Obama Gun control NSA worldwide people control last day - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- CNET Update NSA spy games targeted World of Warcraft ! Byy Adana - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA Interception: Spy malware installed on laptops bought online - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Hacking is NSA's 'growth area,' Times says in agency profile! - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Judge Napolitano 'It's Time for Congress to Clip the NSA's Wings' - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Global Economic Crisis 2013 Economic Terrorism, NSA CIA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- THE CIA , FBI and NSA Spying Technology is Free and out in the open , DOWNLOAD IT NOW - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Budget 2014 Malaysia mystery NSA listening in - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA misrepresented the scope of its data collection - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA: the story of the summer - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Thinkerview - Interview B Bayart - Neutralit du net, CSA NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA Reveals Planned Police State - US to enter MARTIAL LAW - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Civil liberty activists say Obama's curb on NSA don't go far enough - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- NSA proof phone Case - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]