Researchers network security provided a detailed look at a system called DoubleFeature dedicated to documenting the various post-exploit phases that stemmed from the implementation of DanderSosystemz, a full-fledged malware framework. feature used by the Equation Group.
DanderSosystemz came to light on April 14, 2017, when a hacking group known as Shadow Brokers leaked the miner, among others, according to a dispatch titled “Lost in Translation.” Also included in the leaks is EternalBlue, a cyberattack developed by the US National Security Agency (NSA) that allows threat actors to perform a NotPetya attack. ransomware on unpatched Windows computers.
The tool is a modular, stealthy and fully functional framework based on dozens of plugins for post-mining operations on Windows and Linux servers. Check Point researchers say in a new report published Monday, DoubleFeature is one of them, which functions as a “diagnostic tool for victim machines carrying DanderSosystemz.”
The Israeli cybersecurity firm added: “DoubleFeature can be used as a Rosetta Stone to gain insight into DanderSosystemz modules and the systems compromised by them.” “It’s an incident response team’s fantasy dream.”
Designed to maintain logs of the types of tools that may be deployed on the target machine, DoubleFeature is a Python-based console that also serves as a reporting utility to pass logging information from infected machine to a server controlled by the attacker. The output is interpreted using a dedicated executable named “DoubleFeatureReader.exe.”
Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a sneaky data filtering backdoor called StraitBizarre, a spy platform called KillSuit ( aka GrayFish), a persistence toolkit called DiveBar, a secret network access driver called FlewAvenue, and an authentication implant called MistyVeal to verify if a compromised system is indeed a a true victim machine and not a research environment or not.
“Sometimes, the world of high-level APT tools and the world of regular malware can seem like two parallel universes,” the researchers said. “National actors tend to [maintain] clandestine, huge codebases, exhibiting a wide range of features that have been honed over decades by real-world needs. It turns out that we’re also slowly munching on the 4-year-old leak that revealed DanderSosystemz to us, and gaining new insights. “