<— Back

The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day

At the beginning of 2017, the Chinese-affiliated APT31 was caught deploying a 0-Day exploit against a US-based company. A CVE was issued for the vulnerability, it got patched, case closed. Right?

Well, turns out this isn’t exactly the case.

During their ongoing research of the exploits used by different malware and APT groups, our Malware and Vulnerability research teams stumbled upon a major revelation regarding this incident. While analyzing “Jian”, the caught-in-the-wild APT31 exploit, they saw evidence connecting it to unfamiliar tools of another well-known actor – Equation Group.

Join us as we unearth a hidden exploitation framework used by Equation Group’s DanderSpritz. This framework, named NtElevation, contains 4 different LPE exploits, of which the exploits code-named “EpMe” and “EpMo” were yet to receive any public attention. Not only so, but analysis of EpMe revealed it to be an exploit for the same vulnerability later used by APT31.

Coincidence? We think not.

In our talk, we compare Jian and EpMe, and show the vast similarity between the two. Taking into account the fingerprints of both actors, the evidence at hand points at a remarkable scenario – APT31 captured and adapted an unknown Equation Group 0-Day exploit for their own use, years before the Shadow Brokers leak reached the headlines.”