Equation Group Malware - EoP package and malware launcher

Hunt Hypothesis

The detection identifies potential Equation Group malware activity involving an EoP package and a launcher, which may indicate advanced persistent threat infrastructure. SOC teams should proactively hunt for this behavior to uncover stealthy, long-term adversary presence in their Azure Sentinel environment.

YARA Rule

rule Equation_Kaspersky_EOP_Package 
{

    meta:
        description = "Equation Group Malware - EoP package and malware launcher"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"

    strings:
        $mz = { 4d 5a }
        $s0 = "abababababab" fullword ascii
        $s1 = "abcdefghijklmnopq" fullword ascii
        $s2 = "@STATIC" fullword wide
        $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
        $s4 = "@prkMtx" fullword wide
        $s5 = "prkMtx" fullword wide
        $s6 = "cnFormVoidFBC" fullword wide

    condition:
        ( $mz at 0 ) and filesize < 100000 and all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: System Update Scheduled Job
  Description: A legitimate scheduled task runs a script to update system components, which may include files with names similar to those used by the Equation Group malware.
  Filter/Exclusion: Exclude processes associated with Windows Update or WSUS (e.g., wuauserv, svchost.exe with Windows Update service).

• Scenario: Administrative PowerShell Script Execution
  Description: An admin runs a PowerShell script to configure system settings, which may use similar command-line patterns to those used by the Equation Group launcher.
  Filter/Exclusion: Exclude processes with powershell.exe where the command line includes known admin scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\.

• Scenario: Software Deployment via SCCM
  Description: A Software Center or Configuration Manager (SCCM) deployment package is being installed, which may include files with names matching the malware’s artifacts.
  Filter/Exclusion: Exclude processes with ccmexec.exe or smsts.exe associated with SCCM deployments.

• Scenario: Backup Job Execution
  Description: A backup job using tools like Veeam, Acronis, or VSS may generate temporary files or use similar execution patterns to the malware.
  Filter/Exclusion: Exclude processes related to backup tools (e.g., veeam.exe, acronis.exe, or vssadmin.exe).

• Scenario: Third-Party Tool Installation
  Description: A legitimate third-party tool (e.g., 7-Zip, WinRAR, or NSIS) is being installed, which may use similar file names or execution methods as the Equation Group malware.
  Filter/Exclusion: Exclude processes associated with known legitimate installers (e.g., `