Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary activity leveraging a known malware tool associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from sophisticated adversaries using legacy malware.

YARA Rule

rule EquationGroup_Toolset_Apr17_DmGz_Target_2 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "55ac29b9a67e0324044dafaba27a7f01ca3d8e4d8e020259025195abe42aa904"
   strings:
      $s1 = "\\\\.\\%ls" fullword ascii

      $op0 = { e8 ce 34 00 00 b8 02 00 00 f0 e9 26 02 00 00 48 }
      $op1 = { 8b 4d 28 e8 02 05 00 00 89 45 34 eb 07 c7 45 34 }
      $op2 = { e8 c2 34 00 00 90 48 8d 8c 24 00 01 00 00 e8 a4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., schtasks.exe) runs a script or tool that matches the behavior of the EquationGroup tool.
  Filter/Exclusion: Check for process.parent_process_name = "schtasks.exe" or process.command_line LIKE '%/create%'

• Scenario: Windows Update or Patching Tool
  Description: A tool like wusa.exe (Windows Update) or dism.exe (Deployment Imaging Servicing Management) is used to apply updates, which may trigger similar network activity.
  Filter/Exclusion: Check for process.name = "wusa.exe" or process.name = "dism.exe"

• Scenario: Legitimate Malware Analysis Tool
  Description: A security tool like Cuckoo Sandbox or Hydra is used to analyze malware, which may include network traffic similar to the EquationGroup tool.
  Filter/Exclusion: Check for process.name = "cuckoo.exe" or process.name = "hydra.exe"

• Scenario: Backup or Sync Job with Network Activity
  Description: A backup tool like Veeam Backup & Replication or a sync tool like rsync may initiate network traffic that resembles the EquationGroup tool’s behavior.
  Filter/Exclusion: Check for process.name = "veeam.exe" or process.name = "rsync.exe"

• Scenario: Administrative PowerShell Script Execution
  Description: An admin runs a PowerShell script (e.g., powershell.exe) that performs network operations, which could be mistaken for EquationGroup activity.
  Filter/Exclusion: Check for process.name = "powershell.exe" and process.user = "Administrator" with a whitelisted script path.