#ESETresearch stumbled upon strange samples which use the packer we described in publications on the #Winnti Group. The payload in these samples is an implant attributed to Equation. It is known as PeddleCheap according to the project names seen in the Shadow Brokers leaks. 1/8 
Those samples were first seen in 2017, one year before it was used in the compromised games in 2018 (welivesecurity.com/2019/03/11/gam…). They are 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 and b48beb5e49976294287b1d6910d7445db83e5cf2. #ESETresearch @marc_etienne_ 2/8
These particular executables do 3 things: launch the legitimate Adobe Flash installer, copy itself to %TEMP%\micrit.exe and start PeddleCheap. #ESETresearch @marc_etienne_ 3/8
We found this compiled PeddleCheap instance is present in the "Lost in Translation" Shadow Brokers leak. File name is PC_Level3_dll. Only 6 bytes are changed, revealing the C&C server was set to 94.140.125.181:443. #ESETresearch @marc_etienne_ 4/8
This sample raises more questions than answers: did the Winnti Group use the leaked toolset, or is Equation using a packer from Winnti Group? Was this a test or used in a real operation? Given its disguise as a Flash update, was there watering hole involved? #ESETresearch 6/8
This is a good example of the limited value of attribution only based on similarity in malware samples. All #malware samples are ultimately attacker-controlled information. It’s easy for a threat operators to confuse an analyst by reusing artefacts attributed to other groups. 7/8
If you come across this particular packer in any sample, a stand-alone Python script to statically unpack the payload is available in our malware-research repository on GitHub. github.com/eset/malware-r… #ESETresearch @marc_etienne_ 8/8
