EquationDrug - Key/clipboard logger driver - msrtvd.sys

Hunt Hypothesis

The detection identifies potential EquationDrug malware activity through the presence of the msrtvd.sys driver, which is associated with key and clipboard logging capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to data exfiltration or persistence.

YARA Rule

rule EquationDrug_Keylogger 
{

    meta:
        description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"

    strings:
        $s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
        $s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
        $s3 = "\\DosDevices\\Gk" fullword wide
        $s5 = "\\Device\\Gk0" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Microsoft Endpoint Configuration Manager (MECM) to deploy a script that temporarily loads msrtvd.sys as part of a custom driver installation.
  Filter/Exclusion: Exclude processes initiated by msiexec.exe or setup.exe associated with MECM deployments.

• Scenario: A Windows Update installation triggers the loading of msrtvd.sys as part of a system driver update or patching process.
  Filter/Exclusion: Exclude processes with svchost.exe or wuauserv.exe associated with Windows Update services.

• Scenario: A scheduled task runs a legitimate security tool like Malwarebytes or Bitdefender, which may temporarily load msrtvd.sys as part of its scanning or heuristic analysis.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or with the task name matching known security tool scheduled jobs.

• Scenario: A third-party driver such as Intel Management Engine Interface (IMEI) or AMD SEV is installed, which may include msrtvd.sys as part of its driver stack.
  Filter/Exclusion: Exclude processes initiated by setup.exe or inf files from known hardware vendors.

• Scenario: A Windows System File Checker (SFC) or DISM scan is running, which may temporarily load msrtvd.sys during system file restoration or repair.
  Filter/Exclusion: Exclude processes with dllhost.exe or dism.exe associated with system repair operations.