WikiLeaks Has Published The CIA’s Secrets For Infecting Windows

Uploaded on 2017-04-18 in TECHNOLOGY--Hackers, NEWS-News Analysis, INTELLIGENCE--USA, FREE TO VIEW

WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

This installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customised malware for Windows-based computers. 

The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:

The operator configures an installation executable to install one or more payloads using a variety of techniques. Each payload installer is built from individually configured components that implement part of the installation procedure.

The operator may designate that installation is contingent on the evaluation of the target environment. Target conditions are described using a custom rule language. The operator may configure the tool to output a log file during execution for later exfiltration.

The technical manuals provide a behind-the-scenes look that, for the first time, reveals how the CIA goes about spying on targets that use computers running Microsoft's Windows operating system. Topics that are covered include ways to evade antivirus protection provided by Microsoft's Security Essentials, Symantec, and Kaspersky Lab. 

Also of interest is the CIA's borrowing of the Carberp, a powerful piece of bank-fraud malware that once fetched as much as $40,000 in underground forums. Once the Carberp source code was leaked in 2013, security experts warned it was akin to "handing a bazooka to a child."

A user manual for "Stolen Goods", includes a software component that allows Grasshopper malware to persist even after an infected machine has been rebooted.

The components were taken from malware known as Carberp, a suspected Russian rootkit used by organised crime. The source of Carberp was published online and has allowed AED\RDB to easily 'borrow' components as needed from the malware. 

Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analysed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.

AED and RDB are abbreviations for "Advanced Engineering Division" and "Remote Development Branch," respectively. The Advanced Engineering Division does most of the CIA's implant code development. The Remote Development Branch develops remote implants.

Grasshopper was designed to be a development framework that's easy to use. It includes individual modules that can be combined to meet the requirements of a specific operation. For instance, it provides tools that "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration." It also allows users to customise persistence mechanisms and antivirus evasion to the specific computer that's being targeted.

The latest installment isn't likely to be as damaging as the one published recently at the beginning of April 2017. That one included code libraries CIA developers use to obfuscate their payloads and to conceal any ties to some other malware used by the agency. 

Release of the so-called Marble libraries could make it easier for targets to determine that a previously unattributed hack is the work of the CIA. This latest leak is still a major embarrassment to the CIA, but on the whole the documents don't appear to reveal any specific operations or portray the CIA operating outside its mandated mission.

Ars Technica

You Might Also Read: 

Wikileaks Vault 7 And The CIA Hacking Arsenal:

WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy:

Security & Encryption After Edward Snowden:

Is There A Positive Aspect To CIA Spying?:

 

« Facebook Accused Of Publishing Child Pornography
Ageing Energy Systems Hold Huge Potential For Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Defense Advanced Research Projects Agency (DARPA)

Defense Advanced Research Projects Agency (DARPA)

DARPA's mission is to develop breakthrough technologies for national security. The Information Innovation Office undertakes cyber security activities.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

GigaOm

GigaOm

GigaOm's mission is to provide enterprises with information and analysis to help them make better decisions about technology.

CNCERT/CC

CNCERT/CC

CNCERT is the national Computer Network Emergency Response Technical Team / Coordination Center of China.

XBOSoft

XBOSoft

XBOSoft is a software QA and testing company. We cover the entire QA and testing life cycle including software and application security.

Panaseer

Panaseer

Panaseer is an enterprise cybersecurity automation and data analytics company that helps organizations stop preventable breaches by ensuring security controls are working effectively.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Precise Biometrics

Precise Biometrics

Precise Biometrics develop and sell fingerprint software for convenient and secure authentication of people’s identity in mobile devices, smart cards and other products with fingerprint sensors.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

Vortiv

Vortiv

Vortiv Ltd (formerly known as Transaction Solutions International Ltd) is a technology based company focused on the cybersecurity and the cloud services sector.

GoSecure

GoSecure

GoSecure Managed Detection and Response helps all organizations reduce dwell time by preventing breaches before they happen.

Switchfast Technologies

Switchfast Technologies

Switchfast Technologies is an IT consulting and managed services provider, offering IT support and consulting to Chicagoland small businesses.

FTCYBER

FTCYBER

FTCYBER offers the latest technology and data recovery services to identify and extract data from computers and other digital devices.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.