Cyber security researchers offered a detailed look at a system called DoubleFeature which is dedicated to logging the various post-exploitation stages resulting from the deployment of DanderSpritz, a comprehensive malware framework used by Equation Group.
DanderSpritz was revealed on April 14, 2017, when a hacking group known as Shadow Brokers disclosed the exploitation tool, among other things, in a dispatch titled “Lost in Translation”. EternalBlue was also included in the leaks, a cyberattack exploit developed by the United States National Security Agency (NSA) that allowed malicious actors to carry out the NotPetya ransomware attack on unpatched Windows computers.
The tool is a modular, stealthy, and fully functional framework that relies on dozens of plugins for post-mining activities on Windows and Linux hosts. DoubleFeature is one of them, which works as “a diagnostic tool for victimized machines carrying DanderSpritz,” Check Point researchers said in a new report released on Monday.
“DoubleFeature could be used as a sort of rosette stone to better understand DanderSpritz modules and the systems compromised by them,” the Israeli cybersecurity firm added. “It’s the pipe dream of an incident response team.”
Designed to keep a log of the types of tools that might be deployed to a target machine, DoubleFeature is a Python-based dashboard that also serves as a reporting utility to exfiltrate logging information from the infected machine to a controlled server. by an attacker. The output is interpreted using a specialized executable named “DoubleFeatureReader.exe”.
Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, a spy platform called KillSuit (aka GrayFish), a set of persistence tools called DiveBar, a secret network access driver called FlewAvenue, and a validation implant called MistyVeal that checks whether the compromised system is indeed a genuine victim machine and not a research environment.
“Sometimes the world of high-level APT tools and the world of ordinary malware can appear to be two parallel universes,” the researchers said. “State actors tend to [maintain] clandestine and gigantic code bases, packed with a vast array of features that have been cultivated over decades due to practical needs. It turns out that we, too, continue to slowly chew on the 4-year-old leak that revealed DanderSpritz to us and gain new knowledge. “