Cyber security firm Kaspersky Lab has uncovered and explained, in great detail, how EquationDrug operates.
EquationDrug, or Equestre is not your average Trojan – it's a complete espionage platform, most likely used by nation-states to conduct cyber espionage (and / or cyberattacks). It’s characterised by highly sophisticated code and the ability to ship out and activate different plugins, depending on the spy’s needs.
“It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims,” it says in the Securelist blog post.
The platform’s common features include taking screenshots and collecting files, but can be extended through various plugins and modules.
“The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface.”
Kaspersky says the platform can be as sophisticated ‘as a space station”, but it appears to be of no use without its cyberespionage features.
And some of those features include network traffic interception for stealing or re-routing, computer management (starting/stopping processes, managing files and directories, etc.), system information gathering, collecting cached passwords, or monitoring LIVE user activity in web browsers.
Unlike ‘traditional cybercriminals’, nation-state cyber attackers are looking for “better stability, invisibility, reliability and universality in their cyberespionage tools”, and are interested in targeting specific users, rather than mass-distribution of Trojans.
“While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.”