A new shocking report reveals that the Chinese State sponsored Buckeye APT hackers group stole and used the Equation Group tools prior to year shadow brokers leaked.
In 2017, The Shadow Brokers, an unknown group of hackers stolen zero-day exploits, malware, and hacking tools from the Equation Group, one of the most sophisticated cyber attack groups in the world and a unit of the National Security Agency (NSA).
Prior this incidents, Chinese based Buckeye group also known as aka APT3, had gained access to those tools and used it for a variety of attacks to gain persistent access to the various targeted organizations.
Buckeye group had been active since 2009 and commit various cyber attacks on the targets mainly an organization based in the United States, and also this group exploited various Zero-day vulnerabilities in 2014 that has been used it as a part of the attack campaign.
In March 2016, the Buckeye group using one of the well-known variant called DoublePulsar, One of the sophisticated NSA backdoor that is leaked by the Shadow Brokers in 2017, at the same time, it used the custom exploit tool (Trojan.Bemstour) to reach the targeted victims.
Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703),(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.
Bemstour Exploit Tools From Buckeye
Based on the evidence that discovered by Symantec researchers, Buckeye group used the stolen NSA hacking tools against a target that resides in Hong Kong where attackers deliver the malware named as “Buckeye” via Bemstour Exploit tools.
Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703)
(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.
According to Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “
“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”
In September 2016, Bemstour exploit tool was rolled out with significant improvement that can exploit both 32-bit and 64-bit system and it was targeted to attack educational institution in Hong Kong.
Development of the Bemstour Exploit tool continuing into 2019 and the new sample of this variant was discovered by Symantec on March 23, 2019.
How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.
The researchers believe that there are multiple possibilities as to how Buckeye obtained Equation Group tools .
- Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.
- Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckey
Indicators of Compromise
SHA 256
cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3
53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c
01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42
6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc
7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65
3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e
1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c
951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7
