Experts told about the secret hacker tool Bvp47 of the Equation Group


Researchers from the Chinese Pangu Lab have revealed details about the “top-level” backdoor used by the APT-grouping Equation Group. The tool, dubbed Bvp47 due to numerous references to the Bvp string and the numeric value 0x47 in the encryption algorithm, was discovered on Linux-based systems during an investigation in 2013.

During the Operation Telescope malware campaign related to the deployment of Bvp47, a variant of the malware was used, characterized by “advanced hidden channel behavior based on TCP SYN packets, code obfuscation, system concealment and self-destruction tactics.”

Bvp47 was used to carry out attacks on more than 287 facilities in the academic, economic, military, scientific and telecommunications sectors located in 45 countries, mainly in China, Korea, Japan, Germany, Spain, India and Mexico. The malware has gone unnoticed for more than a decade.

The backdoor is also equipped with a remote control function, which is protected by an encryption algorithm.

Presumably, the group is associated with the Tailored Access Operations (TAO) division of the NSA. The Equation Group malware suite became public in 2016, when the Shadow Brokers group unveiled the entire package of exploits used by the elite hacker team.

The incident analyzed by Pangu Lab includes two servers compromised from the inside, an email server and a corporate server named V1 and V2, respectively, as well as an external domain (designated as A) using a new two-way communication mechanism to steal confidential data from systems.

“There is an abnormal connection between external host A and server V1. In particular, A first sends a SYN packet with a 264-byte payload to port 80 of server V1, and then server V1 immediately initiates an external connection to the high-performance port of machine A and supports a large amount of data exchange,” the experts said.

“The tool is well designed, powerful and widely adapted. His ability to network attacks exploiting zero-day vulnerabilities was unstoppable, and his data collection under covert control did not require much effort,” the experts noted.