While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.
Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump. And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop. One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure. It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.
Roughly speaking, NOPEN is a complete statically compiled back door in one neat package. As we will see it is a unix RAT with encrypted command channel, tunnels, libnet injection, and privilege escalation among other things. It also supports either being installed on the host and waiting for 3rd party to connect, or as suggested in their doc:
1- you install
2- call yourself / Listening post back
3- when you are done burn it.
Ultimately it gives you a powerful yet simple shell and tunnel capabilities, all nicely wrapped under their now famous RC6 crypto. And while all of this initially looks pretty bad, there is actually some good news in terms of detecting and hunting this tool. So let’s dive into the analysis, and at the end, we will look at some strategies for detection.
I've provided some links to help navigate through the various sections below:
Because you should always welcome people in after all.. be polite..NOPEN! v18.104.22.168 sh: 1: scanner: not found sh: 1: ourtn: not found sh: 1: scripme: not found Wed Aug 31 18:07:05 GMT 2016 NHOME: environment variable not set, assuming "NHOME=/root/Firewall/TOOLS/NOPEN/.." NHOME=/root/Firewall/TOOLS/NOPEN/.. Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc"... /root/Firewall/TOOLS/NOPEN/../etc/norc: No such file or directory TERM=xterm-256color Entering connect mode Attempting connection to 127.0.0.1:32754 (127.0.0.1:32754)... ok Initiating RSA key exchange Generating random number... ok Initializing RC6... ok Sending random number... ok Receiving random number... ok Generating session key... 0x0DE6200E48AB016831720B109B8B2874 Sending first verify string... ok Receiving second verify string... ok Checking second verify string... ok RSA key exchange complete NOPEN server version... 22.214.171.124 Connection Bytes In / Out 201/94 (213%C) / 63/4 (1575%C) Local Host:Port localhost:41847 (127.0.0.1:41847) Remote Host:Port 127.0.0.1:32754 (127.0.0.1:32754) Remote Host:Port kali:32754 (127.0.0.1:32754) Local NOPEN client 126.96.36.199 Date/Time Wed Aug 31 18:07:05 UTC 2016 History Command Out CWD /root/Firewall/TOOLS/NOPEN NHOME /root/Firewall/TOOLS/NOPEN/.. PID (PPID) 6904 (6896) Remote NOPEN server 188.8.131.52 WDIR NOT SET OS Linux 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 CWD PID (PPID) 6908 (6889) Reading resource file "/root/Firewall/TOOLS/NOPEN/../etc/norc.linux"... /root/Firewall/TOOLS/NOPEN/../etc/norc.linux: No such file or directory History loaded from "/root/Firewall/TOOLS/NOPEN/../down/history/kali.127.0.0.1"... ok Creating command output file "/root/Firewall/TOOLS/NOPEN/../down/cmdout/kali.127.0.0.1-2016-08-31-18:07:05"... okLonely? Bored? Need advice? Maybe "-help" will show you the way.We are starting up our virtual autoport