Equation Group Malware - EquationDrug installer LUTEUSOBSTOS

Hunt Hypothesis

The detection identifies potential Equation Group malware activity through the LUTEUSOBSTOS installer, which may indicate advanced persistent threat infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary presence and prevent lateral movement or data exfiltration.

YARA Rule

rule Equation_Kaspersky_EquationDrugInstaller
{

    meta:
        description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "61fab1b8451275c7fd580895d9c68e152ff46417"

    strings:
        $mz = { 4d 5a }

        $s0 = "\\system32\\win32k.sys" fullword wide
        $s1 = "ALL_FIREWALLS" fullword ascii
        $x1 = "@prkMtx" fullword wide
        $x2 = "STATIC" fullword wide
        $x3 = "windir" fullword wide
        $x4 = "cnFormVoidFBC" fullword wide
        $x5 = "CcnFormSyncExFBC" fullword wide
        $x6 = "WinStaObj" fullword wide
        $x7 = "BINRES" fullword wide

    condition:
        ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to deploy a legitimate configuration script that includes the string “LUTEUSOBSTOS” in a comment or log message.
  Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path is in a known admin tools directory (e.g., C:\Windows\System32\ or C:\Program Files\).

• Scenario: A scheduled task runs a legitimate maintenance script that includes the string “LUTEUSOBSTOS” as part of a version control tag or build identifier.
  Filter/Exclusion: Exclude tasks that are scheduled under the Task Scheduler and have a known legitimate script path (e.g., C:\Windows\System32\sched\tasks\ or C:\ProgramData\Microsoft\Windows\TaskScheduler\).

• Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) deployment includes a script or log file that contains the string “LUTEUSOBSTOS” due to a naming convention or logging artifact.
  Filter/Exclusion: Exclude processes where the parent process is svchost.exe or msiexec.exe, and the file path is within a known update or deployment directory (e.g., C:\Windows\SoftwareDistribution\ or C:\Windows\Temp\).

• Scenario: A backup tool such as Veeam or Commvault generates a log file that includes the string “LUTEUSOBSTOS” as part of a job name or identifier.
  Filter/Exclusion: Exclude processes where the executable is veeam.exe, commvault.exe, or similar backup tool executables, and the file path is within a known backup directory (e.g., C:\ProgramData\Veeam\ or `C:\