New details have emerged regarding a previously undetected Linux backdoor that is believed to have been created by the notorious Equation Group which has ties to the US National Security Agency (NSA).
According to a new report from the cybersecurity firm Pangu, security researchers from its Advanced Cyber Security Research team first found the malware behind the backdoor back in 2013 while conducting a “forensic investigation of a host in a key domestic department”. At that time, the team decided to name the malware Bvp47 due to the fact that the most common string in the sample was “Bvp” and 0x47 was the numerical value used in its encryption algorithm.
Despite the fact that Bvp47 was submitted to Virus Total's antivirus database almost a decade ago, it only appeared in one antivirus engine. Things have changed with the release of Pangu's report and it has now been flagged by six antivirus engines according to BleepingComputer.
During the almost ten years that the Bvp47 malware went undetected, it was used to hit more than 287 organizations in 45 countries with a focus on targets in the telecommunications, military, higher-education, financial and science sectors.
Ties to the Equation Group
The Bvp47 sample that was obtained from Pangu's Advanced Cyber Security Research team back in 2013 turned out to be an advanced Linux backdoor that also contained a remote control function protected using the RSA asymmetric encryption algorithm.
As such it requires a private key to enable and this private key was found in a series of leaks published by the Shadow Brokers hacking group during 2016-2017. The leaks themselves also contained hacking tools and zero-day exploits used by the Equation Group which is suspected of having ties to the NSA's Tailored Access Operations unit.
Some of the components found in these leaks such as “dewdrop” and “solutionchar_agents” were integrated into the Bvp47 framework which indicates that its backdoor could be used on Unix-based operating systems such as the mainstream Linux distros JunOS, FreeBSD and Solaris.
Based on automated analysis of the backdoor by Kaspersky's Threat Attribution Engine (KTAE), 34 out of 483 strings found in Bvp47 match those from from another Equation Group-related sample for Solaris SPARC systems. There was also a 30 percent similarity with another malware sample from the Equation Group which was submitted to Virus Total back in 2018.
Director of global research and the analysis team at Kapsersky, Costin Raiu told BleepingComputer that Bvp47's code-level similarities also match one other sample in its malware collection. This is a good indication that use of this malware wasn't widespread as is often the case with hacking tools created by high-level threat actors that only deploy them in highly targeted attacks.
Now that Bvp47's Linux backdoor has finally come to light, security researchers will likely conduct further analysis on it and we could see more evidence that it was used in other past attacks as well.