NEWS ANALYSIS: Security experts say the Equation Group has long since shut down its malware operation after its cover was blown, but the code is available for cyber-criminals to repurpose and refine.
If you’re worried about the malware revealed by Kaspersky Lab a few days ago and attributed to the shadowy “Equation Group” the latest word is that it’s probably no longer active and any spyware that was put into place on hard drives and elsewhere is likely sending its reports uselessly into the ether. Unfortunately, that’s not necessarily very good news.
“Now that this malware has been spoken about by Kaspersky, in great detail, those who were using it previously are no longer using it and it’s very likely that it hasn’t been in use for a while,” said Adam Kujawa, head of malware intelligence for Malwarebytes.
“I say this because folks like these generally know when they have been made, and it’s usually just a few commands to completely shut down the operation and erase its existence.”
Vitaly Kamluk, principal security researcher at Kaspersky Lab, agrees. “Typically, when there is some exposure, the actor behind the attacks will take down the structure,” he said. Kamluk is one of the team at Kaspersky who found and analyzed the Equation group’s malware and its associated spyware. “This is several years old,” he added.
So if the malware is old, no longer being actively distributed and likely is being ignored, why all the interest? Partly, it’s due to the fact that about 500 infestations of the malware are still out there.
Even though it’s not currently doing much, that doesn’t mean it can’t. In addition, the fact remains that this malware was able to be fielded and used for years without anyone noticing, and some parts of it are so effectively hidden that they may be impossible to find.
But there’s another reason that’s much more sinister. Once the Equation group learned that its spyware campaign was unmasked, they almost certainly sent out a new version of malware that is as yet undiscovered.
In addition, some components of the Equation Group malware are still out there causing problems, notably a component called “fanny.exe.” The Fanny malware is the component that allows a USB stick to infect a computer simply by inserting it. It was a component of Stuxnet and has been part of the related malware that followed.
Unfortunately, the fallout from the Equation group’s malware is significant. While the original malware is probably not doing anything, what happened next is that cyber-criminals discovered what was possible and certainly have begun working on something similar.
In addition, now that Kaspersky has published the actual code, it can be taken apart and analyzed, meaning that a malware creator can either copy the process or use what’s in the code to create new and better, but potent malware.