Skip to content ↓ | Skip to navigation ↓


An analysis of the EquationDrug espionage platform has revealed that its capabilities can be extended via modules, leading security researchers to compare the framework’s architecture to a “mini-operating system.”

In an article published on Securelist, Kaspersky Lab explains that EquationDrug is the main espionage platform used by Equation Group, an advanced threat actor that is responsible for having developed Stuxnet and Flare as well as malware that can reprogram HDD or SDD firmware from several different vendors.

The security researchers note that EquationDrug is not a Trojan but an espionage suite that employs multiple configurations and executables.

“The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface,” Kaspersky Lab explains.

“The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.”

Security researchers have identified 30 modules of the espionage platform thus far. Allegedly, an additional 86 plugins have yet to be discovered.

The use of sophisticated espionage platforms such as EquationDrug is not new. Other threat actors, such as Regin and Epic Turla, have employed similar threat frameworks.

What distinguishes EquationDrug from other espionage platforms, however, is the fact that its development might date as far back as the 90s.

“Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted as one of the supported platforms,” Kaspersky Lab said.

“While some other checks will not pass on Windows 95, the presence of this code means that this OS was supported in some earlier variants of the malware. Considering this and the existence of components designed to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to the early 2000s, the hypothesis that these attackers have been active since the ’90s seems realistic. This makes the current attacker an outstanding actor operating longer than any other in the field.”

Though not technically obsolete, EquationDrug was replaced by the more modern ‘Grayfish’ platform, which incorporates encryption, a bootkit, and well-hidden plugins into its framework.

But a lull in activity since 2014 has Kaspersky wondering whether Equation Group has adopted even stealthier tactics.

“We don’t have any details on what software this group is using right now,” explains Igor Soumenkov, principal security researcher at Kaspersky Lab.

“They must have implemented some better techniques to evade detection and discovery.”

Efforts to attribute the actors behind Equation Group are ongoing, though some believe that the NSA may be at least partially responsible for the threat actor’s operations.

For more information on Equation Group, click here.