The Emerald Connection: EquationGroup collaboration with Stuxnet

Introduction

This article is part of a continued ongoing effort in my research of the use of a series of libraries called Exploit Development Framework (EDF) created by EquationGroup for the development of their exploitation tools (exploits, implants, tools, and more). In my previous piece I wrote about my findings of the Fanny worm – better known to EquationGroup developers and operators as: DEMENTIAWHEEL (DEWH).

In 2015 Kaspersky found interesting similarities between FANNY and Stuxnet: FANNY had been exploiting the MS10-046 LNK and MS09-025 EOP vulnerabilities years before Stuxnet was boosted with a new set of powerful exploits in 2009-2010.

Those connections led me to take a closer look to Stuxnet samples from 2009 and 2010 in hopes of finding code overlaps with the Exploit Developmen Framework:

Summary of the findings

  • Stuxnet’s exploits (both internally called svchost.dll and embedded as resource 221 and 222) for MS10-61 Print Spooler and MS08-067 Server Service vulnerability were developed by EquationGroup while other exploits were probably developed by a different party.
  • For years researchers theorized that Stuxnet’s team may have came across an article called Print Your Shell by Carsten Köhler in Hackin9, but evidence shows that the exploit in Stuxnet predates the publication of the article.

EquationGroup exploitation tools EmeraldThread and EclipsedWing have an implementation similar in key points and logic to Stuxnet’s exploits. Both pairs of exploits were created using the Exploit Development Framework. Functions from the libraries make up the vast majority of the code in Stuxnet’s exploits as they were statically linked and merged with the exploit code during compilation in 2009.

Conclusion

The research shows evidence that around 2008-2009, EquationGroup developed two exploits and collaborated by lending them to Stuxnet in 2009 and 2010 ongoing operation to boost their network spreading capabilities.

I couldn’t find any code overlap in both of the exploits beyond what Kaspersky’s researchers mentioned in their FANNY report. But found that two other exploits had been completely built by EquationGroup, the significance of these findings however adds more questions to Stuxnet’s mysterious development. The timeline of additions to Stuxnet and developments within the EquationGroup’s shop rise a question: why didn’t they collaborated with those exploits before 2009?

This research has expanded the work of several researchers from different companies over the years. I would like to thank all of them, as well as Liam O’Murchu, Silas Cutler and Juan Andress Guerrero-Saade who collaborated in the revision of this material.


Read the complete technical report here:

Yara rule to detect TbInitStruct in exploits:

rule EquationGroup_TbInitStruct
{
    meta:
        author =      "Facundo Muñoz fmmresearcher@gmail.com / @fmmrsrch"
        description = "Detects the function TbInitStruct from tibe.dll/tibe-1.dll used by exploits and implants from EquationGroup, including Stuxnet exploits."
        reference =   "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/"

strings:
    $tbblock1 = { 68 00 20 00 00 89 AE 64 01 00 00 89 AE 24 04 00 00 89 AE B4 04 00 00 89 AE
                  B8 04 00 00 89 AE BC 04 00 00 66 89 86 C0 04 00 00 66 89 86 C2 04 00 00 66
                  89 86 C4 04 00 00 89 9E DC 04 00 00 89 9E D0 04 00 00 C7 86 D4 04 00 00 00
                  20 00 00 E8 ?? ?? ?? ?? 83 C4 04 3B C3 89 86 D8 04 00 00 0F 84 AC 01 00 00
                  89 AE 34 08 00 00 66 C7 86 2C 08 00 00 B0 03 89 9E 68 07 00 00 89 9E 38 08
                  00 00 89 AE 40 08 00 00 C7 86 DC 08 00 00 FA 00 00 00 89 AE 70 08 00 00 66
                  C7 86 A6 08 00 00 07 00 FF D7 8B D8 81 E3 FF 00 00 00 FF D7 C1 E0 08 0B D8
                  C1 E3 08 FF D7 25 FF 00 00 00 0B D8 C1 E3 08 FF D7 25 FF 00 00 00 0B D8 89
                  9E 74 08 00 00 FF D7 24 0F 0C 40 33 DB 8A F8 FF D7 8A D8 66 89 9E 78 08 00
                  00 FF D7 66 0F B6 D8 FF D7 33 D2 66 8B 96 78 08 00 00 8A F8 81 E2 FF 3F 00
                  00 81 CA 00 80 00 00 }

condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $tbblock1
}
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s