EquationDrug - HDD/SSD firmware operation - nls_933w.dll

Hunt Hypothesis

The detection rule identifies potential EquationDrug malware activity through the execution of the nls_933w.dll file, which is associated with firmware operations on HDD/SSD devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage persistence or data exfiltration attempts by advanced persistent threats leveraging hardware-level access.

YARA Rule

rule EquationDrug_HDDSSD_Op 
{

    meta:
        description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"

    strings:
        $s0 = "nls_933w.dll" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using CrystalDiskInfo to monitor disk health and firmware updates.
  Filter/Exclusion: Check for process name CrystalDiskInfo.exe or use a filter on the process path containing CrystalDiskInfo.

• Scenario: A scheduled job runs Smartmontools to perform disk health checks and firmware-related diagnostics.
  Filter/Exclusion: Filter by process name smartmontools or include a condition that checks for the presence of known diagnostic tools in the command line.

• Scenario: An IT team is manually updating firmware using HP Smart Storage Administrator (HPSA) on HP storage devices.
  Filter/Exclusion: Filter by process name HPSA.exe or include a condition that checks for the presence of HP firmware update tools in the process command line.

• Scenario: A backup job uses Veeam Backup & Replication and triggers firmware-related operations during disk inventory scans.
  Filter/Exclusion: Filter by process name VeeamBackup.exe or include a condition that checks for the presence of Veeam in the process command line.

• Scenario: A system update task via Windows Update includes firmware updates for storage devices, triggering the rule.
  Filter/Exclusion: Filter by process name wuauserv or include a condition that checks for the presence of Windows Update or firmware-related update tasks in the event context.