When hacker code collides: A discovered malware sample uses tools from the NSA and a Chinese group

Written by

Good hackers steal, great hackers borrow.

According to new research from ESET, a code obfuscation tool that’s been linked to Chinese-based hackers has been used in tandem with an implant that has been attributed to Equation Group, a hacking faction that is broadly believed to have ties to the National Security Agency.

ESET says the obfuscation tool is linked with Winnti Group, while the implant, known as PeddleCheap, appeared in an April 2017 leak from the mysterious group known as the Shadow Brokers.

It’s unclear if the sample was used in a malicious campaign or if it’s the product of a security researcher experimenting with different tools, according to Marc-Étienne Léveillé, a malware researcher at ESET. It was uploaded to malware-sharing repository VirusTotal in 2017, according to Léveillé.

The Winnti-linked packer was used in a series of intrusions at gaming organizations in 2018, which ESET has previously documented.

ESET published its findings in the hopes that some other researchers may have more visibility into the sample’s origins, Lévillé told CyberScoop.

Muddled attribution

It’s not clear who is behind the sample — it’s possible Equation Group used the Winnti-linked portion to run its own intelligence collection, but it is also possible Winnti, which is suspected to have links with the Chinese government, used the leaked NSA implant for its operations.

Léveillé said he views the latter as the likely explanation.

“It is likely that the Winnti Group used tools from the Shadow Brokers leak as a first stage to compromise their victims in 2017. Another, less likely, scenario is that the Equation Group has seen and reused the Winnti Group packer in their operations,” Léveillé told CyberScoop. “Yet another, even less-likely scenario is that a third party who had access to this Winnti Group [tool], used it with PeddleCheap from the Shadow Brokers leak.”

The malware combination shows the far-reaching ramifications of the Shadow Brokers leak: attributing attacks via tools that were used in the massive dump is much more difficult, as any number of actors can use them to muddle up security researchers’ findings.

“These samples are an example of how attribution is difficult, if not impossible, by looking only at malware samples without additional context. It is relatively easy to repurpose malware [artifacts] once they are discovered and documented,” Léveillé told CyberScoop. “In addition to that, it is possible intelligence agencies discover these components before they are public knowledge, misleading attribution made by analysts later on.”

While the actors behind the Winnti-PeddleCheap tool may be unknown, Chinese hackers had access to some other tools that appeared in the Shadow Brokers leak months before the Shadow Brokers revealed them to the public.

It remains unclear if that group, known as Buckeye or APT3, stole the tools by breaching NSA systems or if they caught them in the wild. It is also possible the Chinese hackers independently observed the same vulnerabilities and created similar tools to exploit them.