APT3 is a China-based sophisticated threat group, that has been known to use the Equation group’s exploitation tools. The group has developed the exploit to target more Windows systems.
What does the research say?
The tool developed by APT3 is called Bemstour. The research also suggests that these activities may indicate a race between China and the USA to develop new exploits.
Understanding the Bemstour tool
Bemstour is an exploit tool developed by APT3 to create a DoublePulsar backdoor on a victim’s machine. It uses UPSynergy, a combination of a zero-day discovered by APT3 and an exploit based on EternalRomance.
This tool provides 2 modes of execution. The attacker sends a local file to be executed on the victim’s machine in the first mode. In the second mode, the attacker runs an arbitrary command without having to send a file. These modes are supported in both 32 and 64-bit versions.
The bottom line
There is no solid evidence to tell us how APT3 obtained the tools of the Equation group. But based on various findings, there are different possibilities — APT3 built the tool by research, obtained it from a third-party, or developed the tool with inputs captured from an attack by the Equation group.