Highlights:
- A Chinese-affiliated attack group (APT31) cloned and actively used an American-affiliated attack group’s (Equation Group) cyber offensive tool code named “EpMe”.
- Both attack tools exploit a then unknown Windows vulnerability (CVE-2017-0005), for elevating the privileges of the attacker on the infected machine.
- The American version of the tool was cloned by APT31 during 2014 to form “Jian”. This Chinese cloned version was in turn used since at least 2015, until finally caught and patched in March 2017.
- “Jian” was reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, hinting at a possible attack against an American target.
Introduction
In the last few months, Check Point Research (CPR) focused on recent Windows Local Privilege Escalation (LPE) exploits attributed to Chinese actors. An LPE is used by attackers to acquire Administrator rights on a Windows machine. During this investigation, our malware and vulnerability researchers managed to unravel the hidden story and origins behind “Jian”, an exploit that was previously attributed to the Chinese-affiliated attack group named APT31 (Zirconium). The attack tool was caught and reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, suggesting at a possible attack against an American target.
Our Findings
For the sake of brevity, we dubbed APT31’s exploit as “Jian”. During this investigation, our researchers managed to unravel the hidden story behind “Jian,” which translates to a double-edged straight sword used in China. The “Jian” exploit was previously attributed to APT31 (Zirconium), and we’ve now discovered its true origins.
Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. “EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. DanderSpritz is Equation Group’s post-exploitation framework that contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing Antivirus engines, and more. “EpMe” dates back to at least 2013, which is four years before APT31 was caught exploiting the vulnerability in the wild.
In our technical blog, we introduce the four different Windows LPE exploits included in the DanderSpritz framework, revealing an additional exploit code-named “EpMo”. “EpMo”, one of the exploits in the framework, was never publicly discussed and the unknown vulnerability it targets was patched by Microsoft in May 2017 with no apparent announcement. The patch could potentially be associated with the after-effects of the Shadow Brokers leak of Equation Group tools. While the vulnerability was fixed, we couldn’t identify the official vulnerability ID (CVE-ID) associated with it, and to our knowledge, this is the first public mention of the existence of this additional Equation Group vulnerability.
Summary
Our research started by analyzing “Jian”, the Chinese (APT31 / Zirconium) exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. To our surprise, we found out that this APT31 exploit was in fact a reconstructed version of an Equation Group exploit, dubbed “EpMe”. This means that a Chinese-affiliated group used an Equation Group exploit possibly against American targets.
The case of “EpMe” / “Jian” is unique, as we have evidence that “Jian” was constructed from the actual sample of the Equation Group exploit. Having dated the APT31’s samples to 3 years prior to the Shadow Broker’s leak, our hypothesis is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of the following ways:
- Captured during an Equation Group network operation on a Chinese target
- Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT
- Captured by the Chinese APT during an attack on Equation Group infrastructure
Read the full technical story at our research blog.