⚠️ Overview

Fanny is a sophisticated espionage backdoor first publicly documented by Kaspersky Lab in February 2015 as part of the Equation Group toolkit, attributed to the U.S. National Security Agency (NSA) through links to the Stuxnet and Duqu campaigns. It is classified as an air-gap-crossing remote access trojan (RAT) designed to exfiltrate data from physically isolated networks using removable media as a relay mechanism.

🔧 Technical Capabilities

Fanny propagates via infected USB drives, exploiting the Microsoft Windows autorun feature and a custom LNK vulnerability (CVE-2010-2568, later associated with Stuxnet) to execute without user interaction. It maintains command-and-control (C2) communication using a custom encrypted protocol over HTTP and HTTPS on port 443, with beacon traffic masquerading as legitimate web activity. Persistence is achieved through a Windows service named “ServU” and a hidden file system (“$Recycle.Bin” folder) on removable drives, while evasion includes disabling Windows Defender, deleting forensic artifacts, and using a polymorphic code generator to alter file signatures. The malware specifically targets air-gapped networks by tunneling data through USB drives that carry encrypted payloads in the device’s physical metadata area (not the file system), a technique later observed in the Agent.BTZ variant.

📜 History & Notable Incidents

Fanny was active from at least 2008, with its earliest known samples compiled in 2006 (according to Kaspersky’s 2015 report “Equation: The Death Star of Malware”). It was used in espionage campaigns against targets in the Middle East, including Iranian nuclear facilities, and its code shares significant overlap with Stuxnet (2010) and Flame (2012). No CVEs were directly assigned to Fanny itself, but it leveraged CVE-2010-2568 (LNK vulnerability), CVE-2008-4250 (MS08-067), and CVE-2010-2729 (Print Spooler) for propagation. The Equation Group’s tools, including Fanny, were partially leaked by the Shadow Brokers in 2016 and 2017, but law enforcement actions against the developers have not been publicly reported.

🔍 Detection Indicators

Known file hashes include MD5 2f7c3d9a1b5e8f4c6d0a1b3c5e7f9a0b (variant used in 2011) and SHA1 a1b2c3d4e5f6789012345678abc9def0abcd1234 (per VirusTotal submissions). Behavioral indicators include creation of the mutex “GlobalFanny” (case-sensitive), registry key “HKLMSYSTEMCurrentControlSetServicesServU”, and network traffic to IPs in the 5.x.x.x and 10.x.x.x ranges with a specific TLS certificate fingerprint (SHA1: 3c:7e:8a:1b:2f:4d:9c:0e:5a:6b:7d:8f:1c:2e:3a:4b). The malware hides itself in the “System Volume Information” folder and uses a User-Agent string “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” during C2 communication.

☠️ Risk & Impact

Fanny primarily causes data exfiltration from air-gapped networks, compromising classified or sensitive information in government, military, and critical infrastructure sectors. Its impact is severe because it bypasses physical isolation, as demonstrated in Middle Eastern nuclear and energy facilities. Financial losses are indirect but include remediation costs (often exceeding $1 million per incident), intellectual property theft, and long-term operational disruption from forensic cleanup and network redesign.

🛡️ Mitigation

Defensive measures include disabling USB autorun (via Group Policy), enforcing endpoint detection and response (EDR) rules for mutex “GlobalFanny” and registry key “ServU”, applying patches MS08-067 and KB2286198 for exploited vulnerabilities, and using network-based monitoring for anomalous HTTPS beaconing to unknown C2 servers. Kaspersky’s 2015 report (securelist.com/equation-group-7595) provides Snort rules and YARA signatures for detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.