Cybersecurity researchers have supplied an in depth glimpse right into a system known as DoubleFeature that is devoted to logging the totally different levels of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework utilized by the Equation Group.

DanderSpritz got here to gentle on April 14, 2017, when a hacking group generally known as the Shadow Brokers leaked the exploit software, amongst others, beneath a dispatch titled “Misplaced in Translation.” Additionally included within the leaks was EternalBlue, a cyberattack exploit developed by the U.S. Nationwide Safety Company (NSA) that enabled menace actors to hold out the NotPetya ransomware assault on unpatched Home windows computer systems.

The software is a modular, stealthy, and totally useful framework that depends on dozens of plugins for post-exploitation actions on Home windows and Linux hosts. DoubleFeature is one amongst them, which capabilities as a “diagnostic software for sufferer machines carrying DanderSpritz,” researchers from Examine Level mentioned in a brand new report revealed Monday.

“DoubleFeature could possibly be used as a type of Rosetta Stone for higher understanding DanderSpritz modules, and programs compromised by them,” the Israeli cybersecurity agency added. “It is an incident response staff’s pipe dream.”

Designed to take care of a log of the forms of instruments that could possibly be deployed on a goal machine, DoubleFeature is a Python-based dashboard that additionally doubles up as a reporting utility to exfiltrate the logging info from the contaminated machine to an attacker-controlled server. The output is interpreted utilizing a specialised executable named “DoubleFeatureReader.exe.”

Among the plugins monitored by DoubleFeature embody distant entry instruments known as UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy information exfiltration backdoor dubbed StraitBizarre, an espionage platform known as KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert community entry driver known as FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is certainly an genuine sufferer machine and never a analysis surroundings.

“Typically, the world of high-tier APT instruments and the world of abnormal malware can look like two parallel universes,” the researchers mentioned. “Nation-state actors are likely to [maintain] clandestine, gigantic codebases, sporting an enormous gamut of options which were cultivated over a long time as a consequence of sensible want. It seems we too are nonetheless slowly chewing on the 4-year-old leak that exposed DanderSpritz to us, and gaining new insights.”