The Company reports on EquationDrug, one of the main espionage platforms used by the Equation Group

WOBURN, MA – March 11, 2015 — / — Nation-state sponsored cyberespionage attacks are becoming more sophisticated, targeting carefully defined users with complex, modular tools, and keeping well under the radar of increasingly effective detection systems, Kaspersky Lab experts have discovered.

This new trend was confirmed during a detailed analysis of the EquationDrug cyberespionage platform. EquationDrug is the main espionage platform developed by the Equation Group. It has been in use for more than a decade although it is now largely being replaced by the even more sophisticated GrayFish platform. The tactical trends confirmed by the analysis of EquationDrug were first observed by Kaspersky Lab during its research into the cyber-espionage campaigns Careto and Regin, among others.

Kaspersky Lab specialists found that, following the industry’s growing success in exposing advanced persistent threat (APT) groups, the most sophisticated threat actors now focus on increasing the number of components in their malicious platform in order to reduce their visibility and enhance stealth.

The latest platforms now carry many plugin modules that allow them to select and perform a wide range of different functions, depending on their target victim and information they hold. Kaspersky Lab estimates that EquationDrug includes 116 different plugins.

“Nation-state attackers are looking to create more stable, invisible, reliable and universal cyberespionage tools. They are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users,” explains Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab. “Sophistication of the framework makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities designed for direct financial gains.”

Other ways in which nation-state attackers differentiate their tactics from traditional cybercriminals include:

  • Scale. Traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, while nation-state actors prefer highly targeted, surgical strikes, infecting just a handful of selected users.
  • Individual approach. While traditional cybercriminals typically reuse publicly available source code such as that of the infamous Zeus or Carberb Trojans, nation-state actors build unique, customized malware, and even implement restrictions that prevent decryption and execution outside of the target computer.
  • Extracting valuable information. Cybercriminals in general attempt to infect as many users as possible. However they lack the time and storage space to manually check all the machines they infect and to analyze who owns them, what data is stored on them and what software they run – and then to transfer and store all potentially interesting data.
    • As result they code all-in-one malware stealers that will extract only the most valuable data such as passwords and credit card numbers from victims’ machines – activity that could quickly bring them to the attention of any security software installed.
    • Nation-state attackers on the other hand have the resources to store as much data as they want. To escape attention and remain invisible to security software they try to avoid infecting random users and instead rely on a generic remote system management tool that can copy any information they might need and in any volumes. This could, however, work against them as moving a large volume of data could slow down the network connection and arouse suspicion.

“It may seem unusual that a cyberespionage platform as powerful as EquationDrug doesn’t provide all stealing capability as standard in its malware core. The answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future,” concludes Costin Raiu.

Kaspersky Lab products detected a number of attempts to attack its users with exploits used by the Equation Group in their malware. Many of these attacks were not successful due to Automatic Exploit Prevention technology which generically detects and blocks exploitation of unknown vulnerabilities. The Fanny worm presumably compiled in July 2008 and being a part of the Equation platform, was first detected and blacklisted by our automatic systems in December 2008.

To read latest research on the EquationDrug platform, please visit

About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report: Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam –
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News -
Follow @Threatpost on Twitter

Media Contact
Sarah (Bergeron) Kitsos

Source: Kaspersky


General Tags: online backup reviews, online file backup, data storage, online backup companies, backing up online, SaaS, top rated online backups, online backup, online backup services, cloud computing, compare online backups, data security, online backup providers directory, software as a service, online backup news, CEO interviews, online data backup, online file storage

Like us on Facebook

Do you like this post? Subscribe to our RSS feed ===========================

Sponsored Links:

Data Deposit Box


Bacula Systems



Related posts:

  1. Kaspersky Lab Releases Q2 IT Threat Evolution Report for 2015
  2. Kaspersky Lab Study Reveals Surge in Java Exploit Attacks to 14.1 Million In a Year
  3. Symantec Internet Security Threat Report Reveals Increase in Cyberespionage – Including Threefold Increase in Small Business Attacks
  4. Kaspersky Lab and WISeKey Launch an Encrypted Vault for all that is Precious on your Mobile: The WISeID Kaspersky Lab Security App
  5. Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000
  6. Kaspersky Lab Report Reveals Business Executives Are Exposing Critical Corporate Data While Traveling
  7. Kaspersky Lab Reports: Finance-Related Malware Attacks Rose to 28 Million in 2013
  8. Kaspersky Lab Reports Malicious Attack Increase in Q1 IT Threat Evolution Report
  9. One Billion More: Kaspersky Lab Reports on Cyber Threats in 2014
  10. Kaspersky Lab Detected a 14% Increase in New Ransomware Modifications in Q1 2016