APT3 uses Equation group’s tools including Bemstour to target Windows systems

• Recently, Symantec published findings on the use of the Equation group’s tools by a Chinese APT, Buckeye (or APT3) before the Shadow Brokers leak.
• Further research was conducted to understand how APT3 made use of the Equation group’s tools combined with their own understanding.

APT3 is a China-based sophisticated threat group, that has been known to use the Equation group’s exploitation tools. The group has developed the exploit to target more Windows systems.

What does the research say?

• APT3 attempted to develop the exploit to target Windows systems. This requires a zero-day that provides a kernel leak. Researchers have observed that these activities may indicate that APT3 does not have access to NSA exploitation tools.
• The SMB packets were observed to be developed separately, instead of using a third-party library. These packets were assigned with arbitrary and hardcoded data which lead to the conclusion that APT3 was attempting to recreate the exploit based on recorded network traffic.
• Researchers suggest that the network traffic was recorded either from a Chinese machine monitored by the group and targeted by NSA, or from a machine with foreign activity that APT3 took over.

The tool developed by APT3 is called Bemstour. The research also suggests that these activities may indicate a race between China and the USA to develop new exploits.

Understanding the Bemstour tool

Bemstour is an exploit tool developed by APT3 to create a DoublePulsar backdoor on a victim’s machine. It uses UPSynergy, a combination of a zero-day discovered by APT3 and an exploit based on EternalRomance.

This tool provides 2 modes of execution. The attacker sends a local file to be executed on the victim’s machine in the first mode. In the second mode, the attacker runs an arbitrary command without having to send a file. These modes are supported in both 32 and 64-bit versions.

The bottom line

There is no solid evidence to tell us how APT3 obtained the tools of the Equation group. But based on various findings, there are different possibilities — APT3 built the tool by research, obtained it from a third-party, or developed the tool with inputs captured from an attack by the Equation group.