Aug 21, 2017
242. Front . . . . . . . #standardsandpraiserepurpose #flameespionage #zerodayexploit #doublefantasy #equationlaser #equationdrug #straitbizarre #patientzero #equestre #grayfish #stuxnet #careto #mask #turla #end
seen from China
seen from Indonesia
seen from China
seen from China
seen from Malaysia
seen from United States
seen from Peru
seen from Sweden
seen from Japan
seen from South Korea
seen from Singapore
seen from United States
seen from China
seen from China
seen from South Korea
seen from Türkiye
seen from China
seen from China
seen from United States
seen from China
242. Front . . . . . . . #standardsandpraiserepurpose #flameespionage #zerodayexploit #doublefantasy #equationlaser #equationdrug #straitbizarre #patientzero #equestre #grayfish #stuxnet #careto #mask #turla #end
Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to "sinkhole" the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines.
One of the most severe renewal failures involved a channel that controlled computers infected by "EquationLaser," an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn't; Kaspersky acquired it and EquationLaser-infected machines still report to it.
"It's really surprising to see there are victims around the world infected with this malware from 12 years ago," Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India.