WikiLeaks Has Published The CIA’s Secrets For Infecting Windows

WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

This installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customised malware for Windows-based computers. 

The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:

The operator configures an installation executable to install one or more payloads using a variety of techniques. Each payload installer is built from individually configured components that implement part of the installation procedure.

The operator may designate that installation is contingent on the evaluation of the target environment. Target conditions are described using a custom rule language. The operator may configure the tool to output a log file during execution for later exfiltration.

The technical manuals provide a behind-the-scenes look that, for the first time, reveals how the CIA goes about spying on targets that use computers running Microsoft's Windows operating system. Topics that are covered include ways to evade antivirus protection provided by Microsoft's Security Essentials, Symantec, and Kaspersky Lab. 

Also of interest is the CIA's borrowing of the Carberp, a powerful piece of bank-fraud malware that once fetched as much as $40,000 in underground forums. Once the Carberp source code was leaked in 2013, security experts warned it was akin to "handing a bazooka to a child."

A user manual for "Stolen Goods", includes a software component that allows Grasshopper malware to persist even after an infected machine has been rebooted.

The components were taken from malware known as Carberp, a suspected Russian rootkit used by organised crime. The source of Carberp was published online and has allowed AED\RDB to easily 'borrow' components as needed from the malware. 

Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analysed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.

AED and RDB are abbreviations for "Advanced Engineering Division" and "Remote Development Branch," respectively. The Advanced Engineering Division does most of the CIA's implant code development. The Remote Development Branch develops remote implants.

Grasshopper was designed to be a development framework that's easy to use. It includes individual modules that can be combined to meet the requirements of a specific operation. For instance, it provides tools that "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration." It also allows users to customise persistence mechanisms and antivirus evasion to the specific computer that's being targeted.

The latest installment isn't likely to be as damaging as the one published recently at the beginning of April 2017. That one included code libraries CIA developers use to obfuscate their payloads and to conceal any ties to some other malware used by the agency. 

Release of the so-called Marble libraries could make it easier for targets to determine that a previously unattributed hack is the work of the CIA. This latest leak is still a major embarrassment to the CIA, but on the whole the documents don't appear to reveal any specific operations or portray the CIA operating outside its mandated mission.

Ars Technica

You Might Also Read: 

Wikileaks Vault 7 And The CIA Hacking Arsenal:

WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy:

Security & Encryption After Edward Snowden:

Is There A Positive Aspect To CIA Spying?:

 

« Facebook Accused Of Publishing Child Pornography
Ageing Energy Systems Hold Huge Potential For Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Indemnity Solutions (CIS)

Cyber Indemnity Solutions (CIS)

CIS is an InsurTech company focused on licensing innovative cyber risk insurance solutions to the global insurance industry.

Bundesdruckerei

Bundesdruckerei

Bundesdruckerei specializes in secure identity technologies and services for protecting sensitive data, communications and infrastructures.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

Flexential

Flexential

Flexential helps organizations optimize their journey of IT transformation while simultaneously balancing cost, scalability, compliance and security.

Sift

Sift

The Sift Digital Trust Platform protects your business and customers from all vectors of fraud and abuse through our Live Machine Learning, global trust network and automation technologies.

Trulioo

Trulioo

Trulioo is a leading global identity and business verification company providing secure access to data sources worldwide to instantly verify consumers and businesses online.

Intersec Worldwide

Intersec Worldwide

Intersec Worldwide is a boutique Information Security Firm specializing in PCI Compliance, Assessment, Remediation, Forensics, Data Breach Investigations, Incident Response and IT Managed Services.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

GulfTalent

GulfTalent

GulfTalent is the leading job site for professionals in the Middle East and Gulf region covering all sectors and job categories, including cybersecurity.

ConvergeOne

ConvergeOne

ConvergeOne is a leading global IT services provider of collaboration and technology solutions including cybersecurity.

SafeHouse Technologies

SafeHouse Technologies

SafeHouse is a cloud-based, high-end cybersecurity platform that can secure and insure any device that is connected to it.

CyberHunter Solutions

CyberHunter Solutions

CyberHunter is a leading website security company that provides penetration testing, Network Vulnerability Assessments, cyber security consulting services to prevent cyber attacks.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

Post-Quantum Cryptography Alliance (PQCA)

Post-Quantum Cryptography Alliance (PQCA)

The alliance seeks to address cryptographic security challenges posed by quantum computing by producing high-assurance software implementations of standardized algorithms.