14 DAY TRIAL // More than a week has passed since The Shadow Brokers dumped their files online, claiming to have taken them from the Equation Group, a cyber-espionage group that many experts believe to be the NSA.
The Shadow Brokers say they dumped 60 percent of all the stolen files, and started an auction, promising to give the winner access to the other 40 percent.
Since their initial dump, security researchers from Kaspersky have confirmed the leaked data is similar to what they have seen from past Equation Group malware, and The Intercept, with the help of never-before-seen Snowden documents, has tied the leaked malware with actual NSA cyber-weapons.
Most of the URLs where The Shadow Brokers dumped details about their operation (GitHub, Tumblr, PasteBin) have been taken down, and another PasteBin URL that included a list of all the dumped files was also brought down. We've embedded that original list at the end of this story.
This article is not news per-se, but only provides a list of the files dumped in The Shadow Group leak, along with an explanation of their capabilities, where available.
For sources, we used different analysis provided by Risk Based Security, Mustafa Al-Bassam, Matt Suiche, RST Forums, and other researchers that shared their findings on various exploits on Twitter and GitHub.
For the table below, we used Al-Bassam's categories. A tool is a software package that can deploy multple implants and exploits. An implant is malware that is installed on a compromised device. An exploit is a vulnerability that allows the attacker to compromise the device, extract data, or deploy an implant/tool.
| Name | Type | Description |
|---|---|---|
| 1212/DEHEX | Tool | Tool for converting hex strings to IP addresses and ports |
| BANANABALLOT | Implant | BIOS implant |
| BANANAGLEE | Implant | Firewall implant that does not persist across reboots. Works on Cisco ASA and PIX. |
| BANANALIAR | Tool | Connects to an (currently) unknown implant |
| BANNANADAIQUIRI | Implant | Uknown, has associations with SCREAMINGPILLOW. |
| BARGLEE | Implant | Unconfirmed Juniper NetScreen 5.x firewall implant |
| BARICE | Tool | Shell for deploying BARGLEE |
| BARPUNCH | Implant | BANANAGLEE and BARGLEE module |
| BBALL | Implant | BANANAGLEE module |
| BBALLOT | Implant | BANANAGLEE module |
| BBANJO | Implant | BANANAGLEE module |
| BCANDY | Implant | BANANAGLEE module |
| BEECHPONY | Implant | Firewall implant (BANANAGLEE predecessor) |
| BENIGNCERTAIN | Tool | Tool for extracking VPN keys from Cisco PIX firewalls. Detailed here. |
| BFLEA | Implant | BANANAGLEE module |
| BILLOCEAN | Tool | Extracts seral numbers from Fortinet Fortigate firewalls (possible others). |
| BLATSTING | Implant | Firewall implant for deploying EGREGIOUSBLUNDER and ELIGIBLEBACHELOR |
| BMASSACRE | Implant | BANANAGLEE and BARGLEE module |
| BNSLOG | Implant | BANANAGLEE and BARGLEE module |
| BOOKISHMUTE | Exploit | Exploit against unknown firewall |
| BPATROL | Implant | BANANAGLEE module |
| BPICKER | Implant | BANANAGLEE module |
| BPIE | Implant | BANANAGLEE and BARGLEE module |
| BUSURPER | Implant | BANANAGLEE module |
| BUZZDIRECTION | Implant | Unconfirmed Fortinet Fortigate firewall implant |
| CLUCKLINE | Implant | BANANAGLEE module |
| CONTAINMENTGRID | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1. |
| DURABLENAPKIN | Tool | Tool for packet injection on LAN connections |
| EGREGIOUSBLUNDER | Exploit | RCE for Fortinet FortiGate firewalls. Affected models: 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A |
| ELIGIBLEBACHELOR | Exploit | Exploit on TOPSEC firewalls running TOS operating system versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. |
| ELIGIBLEBOMBSHELL | Exploit | RCE for TOPSEC firewalls affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1 |
| ELIGIBLECANDIDATE | Exploit | RCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1 |
| ELIGIBLECONTESTANT | Exploit | RCE for TOPSEC fierewalls affecting versions 3.3.005.057.1 to 3.3.010.024.1. Must be run only after ELIGIBLECANDIDATE |
| EPICBANANA | Exploit | Privilege escalation on Cisco ASA (versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832) and Cisco PIX (versions 711, 712, 721, 722, 723, 724, 804) |
| ESCALATEPLOWMAN | Exploit | Privilege escalation on WatchGuard products. Company says this won't work on newer devices. |
| EXTRABACON | Exploit | RCE on Cisco ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844 (CVE-2016-6366) |
| FALSEMOREL | Exploit | Cisco exploit that extracts the "enable" password if Telnet is active on the device. |
| FEEDTROUGH | Implant | Persistent implant on Juniper NetScreen firewalls for deploying BANANAGLEE and ZESTYLEAK. |
| FLOCKFORWARD | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.005.066.1. |
| FOSHO | Tool | Python library for crafting HTTP requests used in exploits |
| GOTHAMKNIGHT | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.100.010.8_pbc_27. |
| HIDDENTEMPLE | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.2.8840.1. |
| JETPLOW | Implant | Cisco ASA and PIX implant used to insert BANANAGLEE in the device's firmware |
| JIFFYRAUL | Implant | BANANAGLEE module for Cisco PIX |
| NOPEN | Tool | Post-exploitation shell (client used by the attacker, server installed on targeted device) |
| PANDAROCK | Tool | For connecting to POLARPAWS implants |
| POLARCALGON | Tool | Tool to clean logs on compromised Huawei firewalls |
| POLARPAWS | Implant | Firewall implant for unknown vendor |
| POLARSNEEZE | Implant | Firewall implant for unknown vendor |
| SCREAMINGPLOW | Implant | Cisco ASA and PIX implant used to insert BANANAGLEE in the device's firmware |
| SECONDDATE | Tool | Packet injection on WiFi and LAN networks. Used with BANANAGLEE and BARGLEE |
| TEFLONDOOR | Tool | Self-destructing post-exploitation shell |
| TURBOPANDA | Tool | Tool for connecting to previosuly-leaked HALLUXWATER implant. |
| WOBBLYLLAMA | Exploit | Ready-made payload that can be delivered via the ELIGIBLEBOMBSHELL exploit. Affects TOPSEC firewalls running TOS 3.3.002.030.8_003. |
| XTRACTPLEASING | Tool | Converts data to PCAP files |
| ZESTYLEAK | Implant | Juniper NetScreen firewall implant |