Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of the EquationGroup Tool - April Leak indicates potential adversary use of a sophisticated, previously disclosed malware variant, which may be part of a targeted attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging known but possibly reactivated malware.

YARA Rule

rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      super_rule = 1
      hash1 = "3bee31b9edca8aa010a4684c2806b0ca988b2bcc14ad0964fec4f11f3f6fb748"
      hash2 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26"
   strings:
      $s4 = "* Failed to connect to destination - %u" fullword wide
      $s6 = "* Failed to convert destination address into sockaddr_storage values" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell job) runs a script that matches the behavior of the EquationGroup tool, such as file encryption or registry modification.
  Filter/Exclusion: Check for Task Scheduler or PowerShell job names containing “Maintenance”, “Cleanup”, or “Update”. Use a filter like:

  (ProcessName == "schtasks.exe" or ProcessName == "powershell.exe") and (CommandLine contains "Maintenance" or "Cleanup")

• Scenario: Antivirus Quarantine Process
  Description: An antivirus tool (e.g., Kaspersky, Bitdefender, or Malwarebytes) is performing a quarantine operation, which may involve file encryption or deletion similar to EquationGroup.
  Filter/Exclusion: Check for processes associated with known antivirus vendors. Use a filter like:

  (ProcessName contains "kav" or "bitdefender" or "malwarebytes") and (CommandLine contains "quarantine" or "delete")

• Scenario: Database Backup Job
  Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) may involve file operations that resemble EquationGroup’s behavior, such as copying or encrypting files.
  Filter/Exclusion: Filter by process names like sqlbackup.exe, mysqldump.exe, or backup.exe, and check for command lines containing “backup” or “restore”.

  (ProcessName == "sqlbackup.exe" or ProcessName == "mysqldump.exe") and (CommandLine contains "backup" or "restore")

• Scenario: System File Integrity Check (SFIC)
  Description: A