The Equation Hacking Group’s DanderSpritz Framework is Causing Problems
Table of Contents
- By David Lukic
- Published: Dec 28, 2021
- Last Updated: Mar 18, 2022
Digital security specialists are revealing the details of a malware framework dubbed DanderSpritz. The Equation Group Hackers are responsible for this hack. DanderSpritz deployment sets the stage for a system called DoubleFeature to log into targeted computers after exploitation.
What is DanderSpritz All About?
DanderSpritz first appeared in mid-April of 2017. A hacking collective referred to as the “Shadow Brokers” released the exploit tool within a dispatch dubbed “Lost in Translation.” The moniker might be a reference to the Bill Murray film by the same name released in 2003.
The leak included a digital attack exploit, ExternalBlue, created by the United States National Security Agency (NSA). EternalBlue empowered threat actors to levy ransomware attacks on Windows computers that lacked the proper patching. These attacks were referred to as “NotPetya” attacks.
What is the Role of DoubleFeature?
The DanderSpritz tool is full framework, discrete and modular. The tool uses dozens of plug-ins to conduct post-exploitation on machines with Windows and Linux operating systems. DoubleFeature is one of these plug-ins.
According to cybersecurity researchers from the Israeli digital security firm Check Point, DoubleFeature works as a diagnostic tool on targeted machines that have DanderSpritz. Check Point released this information in a report made public this past Monday, December 20.
DoubleFeature functions like a translation service that helps provide a more thorough understanding of DanderSpritz and its unique modules. DoubleFeature also makes it easier to understand the systems that have been compromised. This plug-in maintains a complex and detailed recording of the tools deployed on targeted machines.
DoubleFeature is essentially a Python dashboard that functions as a reporting utility for data exfiltration from attacked machines. The data is then transmitted to a server controlled by the hackers. The resulting information is then understood using a unique executable called DoubleFeatureReader.exe.
DoubleFeature monitors remote access tools, backdoors for data exfiltration, toolsets, covert networks, espionage platforms, and plenty more. DoubleFeature also monitors validator implants that confirm whether targeted systems are authentic as opposed to merely being a research environment.
What Else Did the Cybersecurity Researchers Say About the Equation Hacking Group?
The Check Point researchers stressed that ordinary malware and APT tools might seem somewhat analogous at times. These digital security gurus also pointed out that nation-state hackers tend to be secretive, employ massive codebases and use a wide range of features carefully developed across several decades.
Check Point admitted it was a bit slower than it should have been in developing an understanding of the DanderSpritz framework. However, blame can be spread across the entire cybersecurity industry. Look for Check Point and additional digital security researchers to reveal further insights into DanderSpritz in the weeks and months ahead.
