Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware toolkit, which may be leveraged for persistent access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats from advanced adversaries exploiting known vulnerabilities.

YARA Rule

rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0"
      hash2 = "320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557"
      hash3 = "c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3"
      hash4 = "551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e"
      hash5 = "8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46"
   strings:
      $s1 = "PQRAPAQSTUVWARASATAUAVAW" fullword ascii
      $s2 = "SQRUWVAWAVAUATASARAQAP" fullword ascii
      $s3 = "iijymqp" fullword ascii
      $s4 = "AWAVAUATASARAQI" fullword ascii
      $s5 = "WARASATAUAVM" fullword ascii

      $op1 = { 0c 80 30 02 48 83 c2 01 49 83 e9 01 75 e1 c3 cc }
      $op2 = { e8 10 66 0d 00 80 66 31 02 48 83 c2 02 49 83 e9 }
      $op3 = { 48 b8 53 a5 e1 41 d4 f1 07 00 48 33 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($s*) or all of ($op*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update using msiexec.exe
  Filter/Exclusion: process.name == "msiexec.exe" && process.args contains "quiet" && process.args contains "/i"

• Scenario: Scheduled backup job using vssadmin.exe
  Filter/Exclusion: process.name == "vssadmin.exe" && process.args contains "backup" && process.args contains "begin"

• Scenario: Admin task using taskhost.exe for scheduled tasks
  Filter/Exclusion: process.name == "taskhost.exe" && process.parent.name == "schtasks.exe"

• Scenario: Network discovery using nmap.exe for internal network mapping
  Filter/Exclusion: process.name == "nmap.exe" && process.args contains "--script" && process.args contains "discovery"

• Scenario: Log file analysis using logparser.exe
  Filter/Exclusion: process.name == "logparser.exe" && process.args contains "eventlog" && process.args contains "from" && process.args contains "where"