Killsuit: The Equation Group’s Swiss Army knife for persistence, evasion, and data exfil

Presented at DerbyCon 8.0 Evolution (2018), Oct. 7, 2018, 11 a.m. (50 minutes).

Most researchers have focused on the Equation Group’s brilliant exploits but very few researchers have focused on their extremely effective post exploitation capabilities. During this talk, we will dissect the KillSuit framework, the Equation Group’s Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration. KillSuit is a little-known part of the DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group’s tools and implants. KillSuit provides the ability to stealthily establish persistence on machines, install keyloggers, packet capture tools, perform WiFi MITM, and other more information gathering tools. Killsuit includes many interesting ways to silently exfiltrate data and intel including custom written IPSEC-like protocols and misuse of “”disabled”” WIFI cards and near-by open networks.


Presenters:

Links:

Similar Presentations: