Cybersecurity researchers detailed a system called DoubleFeature, which is specifically used to record the different stages of deployment after DanderSpritz is deployed. DanderSpritz is a full-featured malware framework used by Equation Group.
DanderSpritz was exposed on April 14, 2017. At that time, a hacker organization named Shadow Brokers leaked the exploit tool, etc., and published a copy ofLost in translationThe leak also included EternalBlue, a network attack vulnerability developed by the National Security Agency (NSA) that allows threat actors to carry out NotPetya ransomware attacks on unpatched Windows computers.
The tool is a modular, hidden and fully functional framework that relies on dozens of plug-ins for post-development activities on Windows and Linux hosts. According to Check Point researchers, DoubleFeature is one of them, which acts as a “diagnostic tool for the victim machine carrying DanderSpritz.” Say In a new report released on Monday.
The Israeli cybersecurity company added: “DoubleFeature can be used as a Rosetta Stone to better understand the DanderSpritz modules and the systems compromised by them.” “This is the daydream of the incident response team.”
DoubleFeature is designed to maintain logs of tool types that can be deployed on the target machine. It is a Python-based dashboard. It can also double as a reporting utility to leak log information from the infected machine to the attacker-controlled server. A special executable file named “DoubleFeatureReader.exe” is used to interpret the output.
Some of the plug-ins monitored by DoubleFeature include the name UnitedRake (aka Formula drug) And PeddleCheap, a covert data breach backdoor named StraitBizarre, a spy platform named KillSuit (aka GrayFish), a persistent tool set named DiveBar, a covert network access driver named FlewAvenue, and a A validator implant called MistyVeal is used to verify whether the infected system actually has a real victim machine, not a research environment.
“Sometimes, the world of advanced APT tools and the world of ordinary malware look like two parallel universes,” the researchers said. “Nation-state actors tend to [maintain] Secret, huge code base, with a large number of functions, these functions have been developed after decades of actual needs. Facts have proved that we are still slowly chewing to reveal to us DanderSpritz’s leak 4 years ago and gain new insights. “
