When the Shadow Brokers released a large number of tools by “The Equation Group” in 2017, the impact of some of these tools was felt immediately – namely in the WannaCry attack that same year, which crippled healthcare systems around the globe by weaponizing the EternalBlue exploit.
Many researchers jumped on the analysis of this and other exploits in attempts to stay ahead of their exploitation by attackers. Most exploits from the leak have now, for the most part, been thoroughly analyzed and patched.
However, the works of its persistence tool – KillSuit – is still widely unknown.
Detecting KillSuit compromises
F-Secure Countercept’s Connor Morley has investigated and broken down this persistence component of the hacker framework DanderSpritz in order to ascertain its methods of persistence and installation, and indicators of compromise for a host. As the leaked version of the tool was last developed in 2013, it is fair to assume that in the four years between its development and eventual disclosure this tool was covertly used by a range of threat actors. During this four-year period the threat actors who developed them would have had unrestricted access to any Windows machine to conduct their operations and may have installed persistence across various estates. It is also likely that it will be leveraged for advanced malicious engagements in the future.
SolarTime (SOTI) is an advanced bootloader persistence mechanism used by The Equation Group as part of their frameworks. Threat Hunter Lacie Fan has researched how SOTI hides itself in the boot section and how to detect it.
By tearing down this advanced tool we may be able to understand its deployment and persistence mechanisms in great enough detail to devise a method to detect legacy exploitations – or even active attempts at compromise – using associated leaked toolsets. As the Equation Group are strongly suspected of being associated with the NSA, this tool and its associated framework were likely developed by a state actor, making one of the more advanced tools available.
Download Connor’s piece on how to detect and remediate a KillSuit compromise. Then download Lacie’s paper on how to hunt for SOTI.Download KillSuit whitepaper Download SOTI whitepaper