Kaspersky reveals details of EquationDrug - the NSA's online malware platform

NSA's online malware platform contains as many as 116 modules - and may have been in use since 1996

Security software company Kaspersky has published more details about the architecture of EquationDrug, which it describes as one of the main espionage platforms of the NSA.

Also called Equestre, the platform is used to deploy up to 116 modules to target connected devices, monitor them and to export data, if necessary. However, Kaspersky admits that as many as 86 modules used by the state malware platform have yet to be uncovered in the wild.

"The plugins we discovered probably represent just a fraction of the attackers' potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80," claims Kaspersky.

It continues: "The biggest plugin ID we have seen is 0x80CA. To date, we have found 30 unique plugin IDs in total. Considering the fact that the developers assigned plugin IDs incrementally, and assuming that other plugin IDs were assigned to modules that we have not yet discovered, it's not hard to calculate that 86 modules have yet to be discovered.

It describes the architecture of the whole framework as resembling "a mini-operating system" with a "kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface".

The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.

The company also lists a number of its most interesting modules by function. They include:

• Network traffic interception for stealing or re-routing.
• Reverse DNS resolution (DNS PTR records).
• Computer management:
  • Start/stop processes;
  • Load drivers and libraries;
  • Manage files and directories. System information gathering:
  • OS version;
  • Computer name;
  • User name;
  • Locale;
  • Keyboard layout;
  • Timezone;
  • Process list. Browsing network resources and enumerating and accessing shares;
• WMI information gathering;
• Collection of cached passwords;
• Enumeration of processes and other system objects;
• Monitoring LIVE user activity in web browsers;
• Low-level NTFS filesystem access based on the popular Sleuthkit framework;
• Monitoring removable storage drives;
• Passive network backdoor (runs Equation shellcode from raw traffic);
• HDD and SSD firmware manipulation;
• Keylogging and clipboard monitoring;
• Browser history, cached passwords and form auto-fill data collection.

An analysis of the code, claims Kaspersky, indicates English-speaking developers, but the company adds that it's "hard to tell reliably if the developers were native English speakers".

Kaspersky claims that the platform may have been initially developed and deployed as long ago as 1996, but that it was almost certainly in use from around 2001.

Last month, Kaspersky revealed details about how modules of the Equation Group of malware had the capability to embed themselves on hard-disk drive firmware, making it both hard to detect, as well as difficult to remove.

Kaspersky's full report on the EquationDrug platform can be downloaded here.