bvp47-pangulab2022

Bvp47 Top-tier Backdoor of US NSA Equation Group

by Pangu Lab 2022

https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf

Notes
Bvp47
NSA
Equation Group
backdoor
Linux malware
covert channel
obfuscation
self-destrucion, malware
Pangu Lab
Shadow Brokers
CIA
Edward Snowden, Prism incident
Russia, Japan, Spain, Germany, Italy
Operation Telescreen
George Orwell - 1984
thought police
0-day
nation-state
packet capture
NIDS
disk mirroring
implant
data leak
mail server
SYN packets generally do not carry a payload
SMB
PowerShell
scheduled task
Python SimpleHTTPServer
base64
port knocking
encryption
custom encrypted protocol
initserial filename 58b6696496450f254b1423ea018716dc
/usr/bin/modload filename
ELF
loader
payload
compression
NIDS generally don’t check data packets during TCP handshake
SYNKnock
Cisco
eqgrp-free-file.tar.xz.gpg, eqgrp-auction-file.tar.xz.gpg
Shadow Brokers disclosed password of eqgrp-auction-file.tar.xz.gpg in April 2017
dewdrop
solution-char_agents
tipoffs
StoicSurgion - multi-platform rootkit
insision
dewdrops_tipoffs contains private key for Bvp47
private key
RSA encryption
attribution by key
command and control
asymmetric encryption
rootkit
user.tool.stoicsurgeon.COMMON describes how to use tipoff
JunOS
FreeBSD
Solaris
Germany
Der Spiegel
NSA ANT catalog
top-secret
FOXACID-Server-SOP-Redacted.pdf
SecondDate
SecenData
shellcode
Windows
ace02468bdf13579
Algeria, Argentina, Egypt, Austria, Pakistan, Brazil, Sao Paulo, Brussels, Belgium, Poland
Boznia and Herzegovina, Botswana
University of Bremen
Bundeswehr University, Munich Germany
Dubna University
Bavaria
InterNetX
Philippines, Finland, South Korea, Sejong University, Hankuk University of Foreign Studies
Polytechnic University of Catalonia
Assumption University of Thailand
jump server
anti-forensics
segment encryption
BPF
Bvp47 self-destructs if certain conditions aren’t met
/dev/mem devmem
LKM
hooking
010 Editor
XOR encryption
string encryption
dynamic resolution of Linux kernel data structures and function addresses
md5
/proc/version
hooks: devmem_is_allowed, page_is_ram, sys_swapon, do_fork, si_swapinfo, release_task, dev_ioctl, d_alloc, vfs_readdir, sys_unlink, sys_rmdir, vfs_getattr, vfs_getattr64, tcp4_seq_show, listening_get_next, established_get_next, udp4_seq_show, raw_seq_show,
packet_seq_show, unix_seq_show, Selinux_xxx, get_raw_sock, sock_init_data, tcp_time_wait, unix_accept, read_mem, __inode_dir_notify, avc_has_perm, do_mount, sys_umount, do_acct_process, proc_root_lookup, kill_something_info, sys_kill, sys_tgkill, sys_getpriority,
sys_setpriority, sys_getpgid, sys_getsid, sys_capget, setscheduler, sys_sched_getscheduler, sys_sched_getparam, sched_getaffinity, sched_setaffinity, sys_sched_rr_get_interval, sys_ptrace, sys_wait4, sys_waitid, do_execve, sys_close, sys_open, sys_read, sys_write,
sys_dup, sys_dup2, sys_accept, sys_bind, sys_connect, sys_sendto, sys_sendmsg, sys_recvfrom, sys_recvfrom
__d_lookup
disabling SELinux by hooking avc_has_perm
evasion by modifying ELF magic in memory to avoid memory searching for ELF files
RC-X algorithm
environment detection
dynamic analysis
statvsf("/", &stats);
setrlimit
core dump
disable core dumping to prevent sample extraction
anti-sandbox
lstat
syscall
mkstmp anti-sandbox
/boot anti-sandbox; counting files in /boot may reveal sandbox environment
API flooding
delayed execution evasion

---