Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group.
The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm.
The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity.
The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts.
The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.
The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits.
The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group.
The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers.
In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data.
Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group.
The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices.
The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”
Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities.
The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency.
The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.