Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature that's dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group.

DanderSpritz came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the exploit tool, among others, under a dispatch titled "Lost in Translation." Also included in the leaks was EternalBlue, a cyberattack exploit developed by the U.S. National Security Agency (NSA) that enabled threat actors to carry out the NotPetya ransomware attack on unpatched Windows computers.

The tool is a modular, stealthy, and fully functional framework that relies on dozens of plugins for post-exploitation activities on Windows and Linux hosts. DoubleFeature is one among them, which functions as a "diagnostic tool for victim machines carrying DanderSpritz," researchers from Check Point said in a new report published Monday.