Jian: The double-edged cyber sword

Issue 1 2021 Editor's Choice, Information Security

In the last few months, Check Point Research (CPR) focused on recent Windows Local Privilege Escalation (LPE) exploits attributed to Chinese actors. An LPE is used by attackers to acquire administrator rights on a Windows machine. During this investigation, our malware and vulnerability researchers managed to unravel the hidden story and origins behind ’Jian‘, an exploit that was previously attributed to the Chinese-affiliated attack group named APT31 (Zirconium). The attack tool was caught and reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, suggesting a possible attack against an American target.

For the sake of brevity, we dubbed APT31’s exploit Jian. During this investigation, our researchers managed to unravel the hidden story behind Jian, which translates to a double-edged straight sword used in China. The Jian exploit was previously attributed to APT31 (Zirconium), and we’ve now discovered its true origins.

Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. EpMe, the Equation Group exploit for CVE-2017-0005, is one of four different LPE exploits included in the DanderSpritz attack framework. DanderSpritz is Equation Group's post-exploitation framework that contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing antivirus engines, and more. EpMe dates back to at least 2013, which is four years before APT31 was caught exploiting the vulnerability in the wild.

In our technical blog, we introduce the four different Windows LPE exploits included in the DanderSpritz framework, revealing an additional exploit codenamed EpMo. EpMo, one of the exploits in the framework, was never publicly discussed and the unknown vulnerability it targets was patched by Microsoft in May 2017 with no apparent announcement. The patch could potentially be associated with the after-effects of the Shadow Brokers leak (https://blog.checkpoint.com/2017/05/25/brokers-shadows-analyzing-vulnerabilities-attacks-spawned-leaked-nsa-hacking-tools/) of Equation Group tools. While the vulnerability was fixed, we couldn’t identify the official vulnerability ID (CVE-ID) associated with it, and to our knowledge, this is the first public mention of the existence of this additional Equation Group vulnerability.

Read the full technical story at https://research.checkpoint.com/2021/the-story-of-jian




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

South African fire standards in a nutshell
Fire & Safety Editor's Choice Training & Education
The importance of compliant fire detection systems and proper fire protection cannot be overstated, especially for businesses. Statistics reveal that 44% of businesses fail to reopen after a fire.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
LidarVision for substation security
Fire & Safety Government and Parastatal (Industry) Editor's Choice
EG.D supplies electricity to 2,7 million people in the southern regions of the Czech Republic, on the borders of Austria and Germany. The company operates and maintains infrastructure, including power lines and high-voltage transformer substations.

Read more...
Standards for fire detection
Fire & Safety Associations Editor's Choice
In previous articles in the series on fire standards, Nick Collins discussed SANS 10400-T and SANS 10139. In this editorial, he continues with SANS 322 – Fire Detection and Alarm Systems for Hospitals.

Read more...
Wildfires: a growing global threat
Editor's Choice Fire & Safety
Regulatory challenges and litigation related to wildfire liabilities are on the rise, necessitating robust risk management strategies and well-documented wildfire management plans. Technological innovations are enhancing detection and suppression capabilities.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.