Shadow Brokers Now Selling Windows Exploits, Antivirus Bypass Tools
The Shadow Brokers, a group of hackers that have stolen exploits and hacking tools from the National Security Agency (NSA), are now selling some of these tools, which include Windows exploits and antivirus bypass tools, on a website hidden on the ZeroNet network.
All previously released hacking tools worked only against UNIX-based operating systems. This is the first time the Shadow Brokers have released Windows tools.
According to a message posted by the Shadow Brokers on their website, the entire “Windows Warez” collection is available for 750 Bitcoin ($675,000).
Windows download here:
Unix download here:
Englandboggy – great name
The ENGLANDBOGGY as an example is a privilege escalation attack that appears to load a shared library into a XORG privileged process for local root access. Another privilege escalation ENDLESSDONUT elevates a user from the “nobody” uid to “root” via exploitation of Apache httpd, a particularly interesting attack. The snippet of files contain a number of tools that are designed for stealth operation of a compromised UNIX host and as such could be vital for forensic analysts and incident response teams who are attempting to determine if they are impacted by the Equation Group and its tools. Amongst the collection of data is the man page for a forensically aware network capture tool, that appears to have been developed professionally. The output below shows the man page which is provided for the “strifeworld” tool.
We found some discrepancies in the data when we compared the files to the table however the data mostly supported ShadowBrokers classification of each tool. The file collection consists of the output of the “find” command in each project, alongside a screen shot of a file system browsing utility. This also gives the added benefit of providing file type information. The bulk of these projects are not provided in source code form and instead appear to be binary files, which further strengthens the hypothesis that these files were compromised from an operational staging post or actively obtained from a field operation by a 3rd party. If they had been in source code format then this would suggest an insider leak is more likely, binary files are often used in operations and distributed to team members over their source code counterpart. There is no conclusive evidence to identify the source of the leak and we will focus on the risks that the unreleased data may introduce. In addition to the screen shot and file output some files contain snippets of usage data and in one a full blown man page is provided! The team at Hacker House has been able to determine the following information about the as-yet-unreleased Equation Group toolkits.