Equation Group Malware - HDD reprogramming module

Hunt Hypothesis

The detection identifies potential HDD reprogramming activity associated with Equation Group malware, which may indicate unauthorized low-level disk manipulation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect advanced persistent threats that could compromise data integrity and system control.

YARA Rule

rule Equation_Kaspersky_HDD_reprogramming_module 
{

    meta:
        description = "Equation Group Malware - HDD reprogramming module"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
    
    strings:
        $mz = { 4d 5a }
        $s0 = "nls_933w.dll" fullword ascii
        $s1 = "BINARY" fullword wide
        $s2 = "KfAcquireSpinLock" fullword ascii
        $s3 = "HAL.dll" fullword ascii
        $s4 = "READ_REGISTER_UCHAR" fullword ascii
    condition:
        ( $mz at 0 ) and filesize < 300000 and all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task - HDD Firmware Update via Vendor Tools
  Description: A legitimate system administrator uses vendor-provided tools (e.g., Seagate SeaTools, Western Digital DataLifeGuard) to update or reprogram HDD firmware as part of routine maintenance.
  Filter/Exclusion: Exclude processes initiated by known vendor tools or signed by the vendor’s certificate (e.g., SeaTools.exe, WDDataLifeGuard.exe).

• Scenario: Scheduled Disk Diagnostic Job
  Description: A scheduled job runs disk diagnostics using tools like chkdsk or CrystalDiskInfo to check for disk errors or health issues.
  Filter/Exclusion: Exclude processes associated with chkdsk.exe or CrystalDiskInfo.exe that are part of a known maintenance schedule.

• Scenario: Admin Task - Disk Partitioning or Reformatting
  Description: An administrator uses tools like diskpart or parted to reformat or re-partition a disk during system setup or migration.
  Filter/Exclusion: Exclude processes initiated by diskpart.exe or parted commands executed by users with administrative privileges during known maintenance windows.

• Scenario: Storage Array Management Tool Usage
  Description: A storage administrator uses enterprise storage management tools (e.g., EMC PowerPath, HP Storage Essentials) to manage or reconfigure storage arrays, which may involve low-level disk operations.
  Filter/Exclusion: Exclude processes associated with known storage management tools (e.g., PowerPath.exe, hpssacli.exe) or those running under the storage admin group.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: An endpoint protection tool (e.g., Bitdefender, Kaspersky) performs a deep scan that includes disk-level operations or firmware checks.
  Filter/Exclusion: