FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as “dewdrops” and “solutionchar_agents” that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr
More Stories
firefox-flatpak-120.0-2
FEDORA-FLATPAK-2023-85f15b91dc Packages in this update: firefox-flatpak-120.0-2 Update description: Fixed freezes on Google Maps Update to 120.0 Read More
opendkim-2.11.0-0.36.el9
FEDORA-EPEL-2023-9a05f8b1eb Packages in this update: opendkim-2.11.0-0.36.el9 Update description: Add upstream PR that filters Authentication-Results headers correctly to fix CVE-2022-48521. Read...
firefox-120.0-3.fc37
FEDORA-2023-dce9c4b01f Packages in this update: firefox-120.0-3.fc37 Update description: Fixed freezes on Google Maps Updated to latest upstream (120.0) Read More
SEC Consult SA-20231123 :: Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Nov 27 SEC Consult Vulnerability Lab Security Advisory < 20231123-0...
SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Nov 27 SEC Consult Vulnerability Lab Security Advisory < 20231122-0...
Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials – CVE-2023-39169
Posted by Phos4Me via Fulldisclosure on Nov 27 Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:...