14 DAY TRIAL // Security experts from Vectra Networks have taken a closer look at one of the files leaked by the Shadow Brokers, a nefarious group that claims to have stolen hacking tools from the Equation Group, a US-based cyber-espionage actor that some security vendors say is the NSA.
While most of the media and security researchers have focused their research efforts on uncovering potential zero-days, which they have, a few tools have remained unexplored.
NOPEN is an RAT for Unix systems
According to Vectra's Nick Beauchesne, one of those tools is NOPEN, which security experts have previously described as "post-exploitation shell" that the Equation Group installed on compromised devices, providing them with the ability to connect to the hacked equipment.
Beauchesne goes as far as to call NOPEN a RAT (Remote Administration Tool) for Unix systems. RAT is a term often used to describe a category of malware often found on Windows and Android devices that allows crooks to connect to infected systems.
Based on his analysis, NOPEN is worthy of this categorization. The tool, which he says is of somewhat importance in Equation Group's arsenal based on the number of times it's referenced in documentation files, is very complex.
Equation Group operators are supposed to compromise systems, install NOPEN, open a connection to their own systems from the hacked device, and start listening for data. Once they find what they were looking for, operators are supposed to delete the tool.
"Ultimately it gives you a powerful yet simple shell and tunnel capabilities, all nicely wrapped under their now famous RC6 crypto," Beauchesne writes.
NOPEN works on Linux, FreeBSD, SunOS, Solaris, and HP-UX
According to his analysis, NOPEN works on all sorts of architectures such as i386, i486, i586, i686, i86pc, i86, SPARC, Alpha, x86_64, and AMD64. The expert says that NOPEN can run on operating systems like Linux, FreeBSD, SunOS, Solaris, and HP-UX.
The tool's primary use is for opening tunnels back to Equation Group servers and running a reverse shell (command-line interface). Operators run the NOPEN client, while the NOPEN server is installed on compromised devices.
The good news, according to Beauchesne, is that some current security solutions might be able to detect NOPEN's presence in some networks, despite the usage of RC6 encryption to hide its traffic.