EquationDrug - Unilay.DLL

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the EquationDrug malware, specifically leveraging the Unilay.DLL component, which may indicate initial compromise or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule EquationDrug_CompatLayer_UnilayDLL 
{

    meta:
        description = "EquationDrug - Unilay.DLL"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "a3a31937956f161beba8acac35b96cb74241cd0f"

    strings:
        $mz = { 4d 5a }
        $s0 = "unilay.dll" fullword ascii

    condition:
        ( $mz at 0 ) and $s0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Process Monitor to debug a legitimate application that dynamically loads Unilay.DLL as part of its runtime.
  Filter/Exclusion: Exclude processes where the parent process is procmon.exe or ProcessMonitor.exe.

• Scenario: A scheduled job runs PowerShell scripts that use Reflective DLL Injection to load Unilay.DLL for legitimate code execution (e.g., custom instrumentation or logging).
  Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path is known and whitelisted.

• Scenario: A Windows Update or Microsoft Defender scan temporarily loads Unilay.DLL as part of a system integrity check or patching process.
  Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the service name is wuauserv or MsMpEng.

• Scenario: A developer is using Visual Studio to debug a third-party library that includes Unilay.DLL as a dependency.
  Filter/Exclusion: Exclude processes where the parent process is devenv.exe or VisualStudio.exe.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate application that dynamically loads Unilay.DLL for encryption/decryption purposes.
  Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the task name is known and approved.