Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW

Hunt Hypothesis

The hypothesis is that the detection of DoubleFantasy encoded configuration files indicates potential adversary use of obfuscation techniques to hide malicious payloads or exfiltration mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that may evade traditional detection methods.

YARA Rule

rule apt_equation_doublefantasy_genericresource
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
        version = "1.0"
        last_modified = "2015-02-16"
        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"

    strings:
        $mz="MZ"
        $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
        $a2="yyyyyyyyyyyyyyyy"
        $a3="002"

    condition:
        (($mz at 0) and all of ($a*)) and filesize < 500000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job Using DoubleFantasy for Configuration Backup
  Description: A system administrator uses DoubleFantasy to encode configuration files before backing them up to a secure storage location.
  Filter/Exclusion: Check for process.name containing “backup” or “snapshot” and filter by process.args containing “backup” or “archive”.

• Scenario: Admin Task to Encode Configuration Files for Secure Transfer
  Description: An admin manually encodes configuration files using DoubleFantasy before transferring them to a remote server via secure protocols.
  Filter/Exclusion: Filter by process.user matching known admin accounts and check for process.args containing “transfer” or “secure”.

• Scenario: Automated Configuration Sync Between Systems Using DoubleFantasy
  Description: A configuration management tool (e.g., Ansible, Puppet) uses DoubleFantasy to encode config files during automated sync between servers.
  Filter/Exclusion: Filter by process.name matching “ansible” or “puppet” and exclude events where process.args contains “encode” or “encode_config”.

• Scenario: DoubleFantasy Used in Development Environment for Testing
  Description: A developer uses DoubleFantasy to encode test configurations in a development environment to simulate encrypted config scenarios.
  Filter/Exclusion: Filter by process.cwd containing “dev” or “development” and exclude events where process.args includes “test” or “simulate”.

• Scenario: DoubleFantasy Used in CI/CD Pipeline for Encrypted Configs
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses DoubleFantasy to encode configuration files before deploying to production.
  Filter/Exclusion: Filter by process.name containing “jenkins” or “gitlab” and exclude events where process.args includes ”