Equation Group Malware - TripleFantasy Loader

Hunt Hypothesis

The TripleFantasy Loader is used by the Equation Group to establish persistence and execute payloads, indicating potential long-term compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may evade traditional detection methods.

YARA Rule

rule Equation_Kaspersky_TripleFantasy_Loader 
{

    meta:
        description = "Equation Group Malware - TripleFantasy Loader"
        author = "Florian Roth"
        reference = "http://goo.gl/ivt8EW"
        date = "2015/02/16"
        hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
    
    strings:
        $mz = { 4d 5a }
        $x1 = "Original Innovations, LLC" fullword wide
        $x2 = "Moniter Resource Protocol" fullword wide
        $x3 = "ahlhcib.dll" fullword wide
        $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
        $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
        $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
        $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
        $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
        $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
    
    condition:
        ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://goo.gl/ivt8EW
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
  Filter/Exclusion: Exclude processes associated with schtasks.exe that are scheduled and have known benign command-line arguments (e.g., schtasks /run /TN "CleanupTask").

• Scenario: Microsoft System Configuration Tool (msconfig.exe)
  Description: An administrator using msconfig.exe to modify startup items or services during routine system configuration.
  Filter/Exclusion: Exclude processes initiated by msconfig.exe with no suspicious command-line arguments or execution paths.

• Scenario: Windows Update or Patching Process
  Description: A legitimate Windows Update process (wusa.exe or dism.exe) performing system updates or patches.
  Filter/Exclusion: Exclude processes initiated by wusa.exe or dism.exe with known update-related command-line arguments (e.g., /quiet, /norestart).

• Scenario: Database Backup Job Using SQL Server Agent
  Description: A SQL Server Agent job running a backup script using sqlcmd.exe or osql.exe to back up databases.
  Filter/Exclusion: Exclude processes initiated by SQL Server Agent jobs with known backup command-line arguments and execution paths (e.g., sqlcmd -S servername -d dbname -Q "BACKUP DATABASE").

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate endpoint protection tool (e.g., mcafee.exe, avgscan.exe, or bitdefender.exe) performing a full system scan.
  Filter/Exclusion: Exclude processes associated with known antivirus tools that are running scheduled or on-demand scans with expected command-line parameters.