On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft’s Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.
The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.
Called “Lost in Translation,” the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.
The password for these files is “Reeeeeeeeeeeeeee“, and they’ve already been unzipped and hosted on GitHub by security researchers.
A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others.
Last year, the Shadow Brokers claimed to have stolen these files from a cyber-espionage group known as the Equation Group, which many security firms claim is the NSA. They put up the tools up for auction, but nobody was interested in paying the hefty price of 1 million Bitcoin (around $570 million at the time).
Equation Group had backdoors inside many banks around the world
Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week’s dump were the Windows files they put up for individual auctions over the winter.
This dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, albeit these don’t look like the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment.
The folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data, and text and Excel files that hint the Equation Group had hacked and gained access to several banks across the world, mainly in Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen.
As the tools were dumped two hours before this article’s publication, we have very little information about their purpose, except a few tweets from security researchers that have managed to figure out the role of some of these hacking tools:
EASYBEE appears to be an MDaemon email server vulnerability [source, source, source]
EASYPI is a Lotus Notes exploit [source, source], but which gets detected as Stuxnet [source]
EWOKFRENZY is an exploit for Lotus Domino 6.5.4 to 7.0.2 [source, source]
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source, source]
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source, source]
EDUCATEDSCHOLAR is a SMB exploit [source, source]
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 [source, source]
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source, source]
ENGLISHMANSDENTIST appears to set Outlook Exchange WebAccess rules remotely to trigger executable code on client, and then sends an email to user [source, source]
ERRATICGOPHER is legacy SMB exploit targeting Windows XP and Server 2003 [source, source]
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source, source]
ETERNALBLUE is a SMBv2 exploit [source]
ETERNALCHAMPION is a SMBv1 exploit [source]
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source, source]
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 [source, source]
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source, source]
ETRE is an exploit for IMail 8.10 to 8.22 [source]
FUZZBUNCH is an exploit framework, similar to MetaSploit [source, source]
EquationGroup had scripts that could scrape Oracle databases for SWIFT data [source, source]
ODDJOB is an implant for Windows [source]
Metadata [possibly faked, possibly real] links NSA to Equation Group [source]
NSA used TrueCrypt for storing operation notes [source]
Some of the Windows exploits released today were undetectable on VirusTotal [source]
Some EquationGroup humor in the oddjob instructions manual [source, source]
JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source], previously linked to the NSA by Snowden [source]
The Equation Group targeted EastNets, a SWIFT connectivity provider [source, source, source, source, source]