Equation Group Malware - EquationLaser Installer

Hunt Hypothesis

The EquationLaser Installer is likely being used to deploy Equation Group malware, indicating potential long-term persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may have evaded initial detection.

YARA Rule

rule Equation_Kaspersky_EquationLaserInstaller
{

    meta:
        description = "Equation Group Malware - EquationLaser Installer"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"

    strings:
        $mz = { 4d 5a }
        $s0 = "Failed to get Windows version" fullword ascii
        $s1 = "lsasrv32.dll and lsass.exe" fullword wide
        $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
        $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
        $s4 = "lsasrv32.dll" fullword ascii
        $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
        $s6 = "%s %02x %s" fullword ascii
        $s7 = "VIEWERS" fullword ascii
        $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide

    condition:
        ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: System update or patch installation using Microsoft Update or Windows Server Update Services (WSUS)
  Filter/Exclusion: Check for ProcessName containing wusa.exe or msiexec.exe with command-line arguments related to updates, such as /quiet or /norestart.

• Scenario: Scheduled backup job using Veeam or Backup Exec
  Filter/Exclusion: Filter by ProcessName like veeam.exe or bexec.exe, and check for known backup job identifiers in the command line or parent process chain.

• Scenario: Administrative task using PowerShell for system configuration (e.g., Group Policy or registry edits)
  Filter/Exclusion: Filter for ProcessName powershell.exe with command-line arguments containing GroupPolicy or reg and check for elevated privileges via TokenElevation.

• Scenario: Legitimate software deployment using Microsoft System Center Configuration Manager (SCCM)
  Filter/Exclusion: Filter for ProcessName ccmsetup.exe or msiexec.exe with package identifiers known to be part of SCCM deployments.

• Scenario: Automated log collection or monitoring tool like Splunk or ELK Stack (Elasticsearch, Logstash, Kibana)
  Filter/Exclusion: Filter for ProcessName like splunkforwarder.exe, logstash.exe, or java.exe (for Elasticsearch), and check for known log collection process names and paths.