Equation Group Malware - DoubleFantasy

Hunt Hypothesis

The DoubleFantasy malware is associated with the Equation Group and may indicate advanced persistent threat activity through covert data exfiltration and persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and unauthorized data access in their environment.

YARA Rule

rule Equation_Kaspersky_DoubleFantasy_1
{

    meta:
        description = "Equation Group Malware - DoubleFantasy"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"

    strings:
        $mz = { 4d 5a }
        $z1 = "msvcp5%d.dll" fullword ascii
        $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
        $s3 = "actxprxy.DllGetClassObject" fullword ascii
        $s5 = "actxprxy.DllRegisterServer" fullword ascii
        $s6 = "actxprxy.DllUnregisterServer" fullword ascii
        $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
        $x2 = "191H1a1" fullword ascii
        $x3 = "November " fullword ascii
        $x4 = "abababababab" fullword ascii
        $x5 = "January " fullword ascii
        $x6 = "October " fullword ascii
        $x7 = "September " fullword ascii

    condition:
        ( $mz at 0 ) and filesize < 350000 and (( $z1 ) or ( all of ($s*) and 6 of ($x*) ))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 13 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics the behavior of the Equation Group Malware - DoubleFantasy, such as executing a script with elevated privileges.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks scheduled under the Task Scheduler service.

• Scenario: Admin PowerShell Script Execution
  Description: An administrator runs a PowerShell script that uses Invoke-Expression or IEX to execute a script block, which may trigger the detection due to similar command-line patterns.
  Filter/Exclusion: Exclude processes with the PowerShell executable launched by users with Administrators privileges or with a known legitimate script path.

• Scenario: Antivirus Quarantine Process
  Description: A legitimate antivirus tool (e.g., Bitdefender, Kaspersky) is quarantining a file that matches the hash or behavior of the DoubleFantasy malware.
  Filter/Exclusion: Exclude processes associated with known antivirus vendors or files flagged as safe by threat intelligence feeds.

• Scenario: Software Update Deployment
  Description: A system update or patch deployment (e.g., via SCCM, WSUS, or Microsoft Update) includes a script or executable that matches the detection logic.
  Filter/Exclusion: Exclude processes initiated by msiexec.exe, wuauclt.exe, or tasks related to software update services.

• Scenario: Database Backup Job
  Description: A database backup job (e.g., SQL Server Agent job) executes a script that uses command-line tools (e.g., sqlcmd, mysqldump) in a way that resembles malicious activity.
  Filter/Exclusion: Exclude processes initiated by SQL Server Agent or with a known backup script path.