EquationDrug - Network-sniffer/patcher - atmdkdrv.sys

Hunt Hypothesis

The detection identifies potential network-sniffer or patcher activity associated with the atmdkdrv.sys driver, which may indicate the presence of the EquationDrug malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to data exfiltration or system compromise.

YARA Rule

rule EquationDrug_NetworkSniffer4 
{

    meta:
        description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
        author = "Florian Roth @4nc4p"
        reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
        date = "2015/03/11"
        hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"

    strings:
        $s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
        $s1 = "\\systemroot\\" fullword ascii
        $s2 = "RAVISENT Technologies Inc." fullword wide
        $s3 = "Created by VIONA Development" fullword wide
        $s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
        $s5 = "\\device\\harddiskvolume" fullword wide
        $s7 = "ATMDKDRV.SYS" fullword wide
        $s8 = "\\Device\\%ws_%ws" fullword wide
        $s9 = "\\DosDevices\\%ws" fullword wide
        $s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
        $s11 = "\\Device\\%ws" fullword wide
        $s13 = "CineMaster C 1.1 WDM" fullword wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 12 string patterns in its detection logic.

References

• http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
• Source Rule

False Positive Guidance

• Scenario: Windows Update installation using Microsoft’s Windows Update Agent
  Filter/Exclusion: process.name != "wuauserv.exe" or process.name != "svchost.exe" with image.loaded_module.name != "atmdkdrv.sys"

• Scenario: Legitimate network driver update via Microsoft Driver Update Tool
  Filter/Exclusion: process.name != "msiexec.exe" or process.name != "setupldr.exe" with image.loaded_module.name != "atmdkdrv.sys"

• Scenario: System file integrity check using Microsoft’s System File Checker (SFC)
  Filter/Exclusion: process.name != "sfc.exe" or process.name != "cmd.exe" with image.loaded_module.name != "atmdkdrv.sys"

• Scenario: Scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vmbackup.exe" or process.name != "vbm.exe" with image.loaded_module.name != "atmdkdrv.sys"

• Scenario: Patch deployment via Microsoft Endpoint Configuration Manager (MECM)
  Filter/Exclusion: process.name != "ccmexec.exe" or process.name != "smsexec.exe" with image.loaded.modules.name != "atmdkdrv.sys"