<— Back

The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day

At the beginning of 2017, the Chinese-affiliated APT31 was caught deploying a 0-Day exploit against a US-based company. A CVE was issued for the vulnerability, it got patched, case closed. Right?

Well, turns out this isn’t exactly the case.

During their ongoing research of the exploits used by different malware and APT groups, our Malware and Vulnerability research teams stumbled upon a major revelation regarding this incident. While analyzing “Jian”, the caught-in-the-wild APT31 exploit, they saw evidence connecting it to unfamiliar tools of another well-known actor – Equation Group.

Join us as we unearth a hidden exploitation framework used by Equation Group’s DanderSpritz. This framework, named NtElevation, contains 4 different LPE exploits, of which the exploits code-named “EpMe” and “EpMo” were yet to receive any public attention. Not only so, but analysis of EpMe revealed it to be an exploit for the same vulnerability later used by APT31.

Coincidence? We think not.

In our talk, we compare Jian and EpMe, and show the vast similarity between the two. Taking into account the fingerprints of both actors, the evidence at hand points at a remarkable scenario – APT31 captured and adapted an unknown Equation Group 0-Day exploit for their own use, years before the Shadow Brokers leak reached the headlines.”

Itay Cohen

Itay Cohen (a.k.a. Megabeets) is the Head of Research at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of a security blog focused on making advanced security topics accessible for free. Itay is a maintainer of the open-source reverse engineering frameworks Rizin and Cutter. In his free time, he loves to participate in CTF competitions and contribute to open-source projects.

Israel Gubi

Israel Gubi is a security researcher and reverse engineer in the Malware Research Team at Check Point Research. Israel joined Check Point in 2017 and was part of the first cycle of the Check Point Security Academy. Israel mainly focuses on malware analysis and malware hunting of both cybercrime and Advanced Persistent Threat campaigns. In his free time, Israel loves any kind of sports, especially tennis and bouldering.