On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft's Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.

Called "Lost in Translation," the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.

The password for these files is "Reeeeeeeeeeeeeee", and they've already been unzipped and hosted on GitHub by security researchers.

A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others.

Last year, the Shadow Brokers claimed to have stolen these files from a cyber-espionage group known as the Equation Group, which many security firms claim is the NSA. They put up the tools up for auction, but nobody was interested in paying the hefty price of 1 million Bitcoin (around $570 million at the time).

Equation Group had backdoors inside many banks around the world

Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week's dump were the Windows files they put up for individual auctions over the winter.

This dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, albeit these are not the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment.

The folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, mainly in Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen.

This folder is by far the most interesting of the three, as it alludes the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring SWIFT transactions across Middle East banks.

In a statement posted on its website, EastNets denied it had ever been compromised, even if the Shadow Brokers dump included a file with all the Bureau's compromised administrator accounts, some of which correspond to real-world employees.

Summary of leaked data

As the tools were dumped two hours before this article's publication, we have very little information about their purpose except tweets from security researchers that have managed to figure out the role of some of these hacking tools:

EASYBEE appears to be an MDaemon email server vulnerability [source, source]

EASYPI is an IBM Lotus Notes exploit [

EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [source]

EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source]

ETERNALROMANCE is a SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source]

EDUCATEDSCHOLAR is a SMB exploit [source]

EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 [source]

EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source]

ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users [source]

ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003 [source]

ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source]

ETERNALBLUE is a SMBv2 exploit [

ETERNALCHAMPION is a SMBv1 exploit [

ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source]

ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 [source]

ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source]

EXPANDINGPULLEY is another Windows implant [

GROK is a keylogger for Windows, also known about since Snowden [

ETRE is an exploit for IMail 8.10 to 8.22 [

FUZZBUNCH is an exploit framework, similar to MetaSploit [

DOUBLEPULSAR is a RING-0 multi-version kernel mode payload [

PASSFREELY is a tool that bypasses authentication for Oracle servers [

EquationGroup had scripts that could scrape Oracle databases for SWIFT data [source]

ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [

Metadata [possibly faked, possibly real] links NSA to Equation Group [

NSA used TrueCrypt for storing operation notes [

Some of the Windows exploits released today were undetectable on VirusTotal [

Some EquationGroup humor in the oddjob instructions manual [source]

JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source]

The Equation Group targeted EastNets, a SWIFT connectivity provider [source, source, source, source] appears to be an MDaemon email server vulnerability [ source is an IBM Lotus Notes exploit [ source source ] that gets detected as Stuxnet [ source is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [ source is an IIS 6.0 exploit that creates a remote backdoor [ source is a SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [ source is a SMB exploit [ source is a SMB exploit for Windows XP and Server 2003 [ source is a remote IMAP exploit for IBM Lotus Domino [ source sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users [ source is a SMBv1 exploit targeting Windows XP and Server 2003 [ source is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [ source is a SMBv2 exploit [ source is a SMBv1 exploit [ source is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [ source is an RDP exploit and backdoor for Windows Server 2003 [ source is an RCE exploit for the Server service in Windows Server 2008 and later [ source is another Windows implant [ source is a keylogger for Windows, also known about since Snowden [ source is an exploit for IMail 8.10 to 8.22 [ source is an exploit framework, similar to MetaSploit [ source source ], which was also part of the December-January "Windows Tools" Shadow Brokers auction [ source is a RING-0 multi-version kernel mode payload [ source is a tool that bypasses authentication for Oracle servers [ source EquationGroup hadthat could scrape Oracle databases for SWIFT data [ source is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [ source source ], also not detected by any AV vendors [ source [possibly faked, possibly real] links NSA to Equation Group [ source NSA usedfor storing operation notes [ source Some of the Windows exploits released today were undetectable on VirusTotal [ source Somein the oddjob instructions manual [ source appears to be an operation for collecting data from several banks around the world [ source ], previously linked to the NSA by Snowden [ source The Equation Group targeted, a SWIFT connectivity provider [ source

This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe. — Hacker Fantastic (@hackerfantastic) April 14, 2017

It's so much worse than you could imagine, RDP and TerminalServices remote exploits combined with SMB/NBT. It's real IDDQD GOD MODE enabled. — Hacker Fantastic (@hackerfantastic) April 14, 2017

Remember: US negotiated front door access to SWIFT for terrorism purposes. No reason to hack (at least not for terrorism) it in 2013. https://t.co/HXMaW5pc2y — emptywheel (@emptywheel) April 14, 2017

Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day ;-) pic.twitter.com/I9aUF530fU — Hacker Fantastic (@hackerfantastic) April 14, 2017

This dump had serious value, even now (great 0days, ops notes, passwords, etc), so burning it is a very expensive signal. — the grugq (@thegrugq) April 14, 2017

This post will most likely be updated with new information as it becomes available.