Vault7 by WikiLeaks

https://wikileaks.org/ciav7p1/

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7″ by WikiLeaks project claims that recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.

75 Comments

  1. Tomi Engdahl says:

    Hack Your Own Samsung TV With The CIA’s Weeping Angel Exploit
    http://hackaday.com/2017/04/26/hack-your-own-samsung-tv-with-the-cias-weeping-angel-exploit/

    [Wikileaks] has just published the CIA’s engineering notes for Weeping Angel Samsung TV Exploit. This dump includes information for field agents on how to exploit the Samsung’s F-series TVs, turning them into remotely controlled spy microphones that can send audio back to their HQ.

    An attacker needs physical access to exploit the Smart TV, because they need to insert a USB drive and press keys on the remote to update the firmware, so this isn’t something that you’re likely to suffer personally. The exploit works by pretending to turn off the TV when the user puts the TV into standby. In reality, it’s sitting there recording all the audio it can, and then sending it back to the attacker once it comes out of “fake off mode”.

    It is still unclear if this type of vulnerability could be fully patched without a product recall, although firmware version 1118+ eliminates the USB installation method.

    Reply
  2. Tomi Engdahl says:

    WikiLeaks Details MitM Attack Tool Used by CIA
    http://www.securityweek.com/wikileaks-details-mitm-attack-tool-used-cia

    WikiLeaks has released documents detailing a man-in-the-middle (MitM) attack tool allegedly used by the U.S. Central Intelligence Agency (CIA) to target local networks.

    The tool, initially called Fulcrum and later renamed Archimedes by its developers, can be used to conduct MitM attacks within a local area network (LAN). The leaked documents, dated between 2011 and 2014, describe it as a tool that allows the user to redirect LAN traffic from a targeted computer through an attacker-controlled machine before it’s passed on to the gateway.

    Reply
  3. Tomi Engdahl says:

    WikiLeaks Reveals A CIA LAN-Attacking Tool From ‘Vault 7′
    https://it.slashdot.org/story/17/05/07/221257/wikileaks-reveals-a-cia-lan-attacking-tool-from-vault-7?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes — previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use — or, indeed, if it has actually ever been used — but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

    The manual itself explains how Archimedes works: “Archimedes is used to redirect LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session.”

    More Vault 7 leaks from WikiLeaks: Archimedes is the CIA’s man-in-the-middle hacking tool
    https://betanews.com/2017/05/06/wikileaks-vault-7-archimedes/

    The manual itself explains how Archimedes works: “Archimedes is used to redirect LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session.”

    Reply
  4. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Cisco patches 318 switch models for 0-day remote exploit from March’s WikiLeaks CIA dump

    https://arstechnica.com/security/2017/05/cisco-kills-leaked-cia-0day-that-let-attackers-commandeer-318-switch-models/

    Reply
  5. Tomi Engdahl says:

    Cisco Patches CIA Zero-Day Affecting Hundreds of Switches
    http://www.securityweek.com/cisco-patches-cia-zero-day-affecting-hundreds-switches

    Cisco has finally released an update for its IOS and IOS XE software to address a critical vulnerability believed to have been used by the U.S. Central Intelligence Agency (CIA) to target the company’s switches.

    Cisco learned of the flaw in mid-March after conducting an analysis of the Vault 7 files made available by WikiLeaks. These files describe exploits allegedly used by the CIA to hack mobile devices, desktop systems, networking equipment and IoT devices.

    The vulnerability, tracked as CVE-2017-3881, affects the cluster management protocol (CMP) processing code used by Cisco’s IOS and IOS XE software. An unauthenticated attacker can exploit the flaw remotely to cause devices to reload or for arbitrary code execution with elevated privileges.

    Reply
  6. Tomi Engdahl says:

    WikiLeaks Details More Windows Attack Tools Used by CIA
    http://www.securityweek.com/wikileaks-details-more-windows-attack-tools-used-cia

    WikiLeaks has published another round of documents describing tools allegedly used by the U.S. Central Intelligence Agency (CIA). The latest dump in the “Vault 7” series details two Windows frameworks named “AfterMidnight” and “Assassin.”

    AfterMidnight is described as a DLL that self-persists as a Windows service and provides secure execution for “Gremlins,” hidden payloads that allow attackers to subvert the functionality of targeted software, exfiltrate data, and provide internal services for other Gremlins.

    WikiLeaks has regularly published Vault 7 files since March 7

    However, the organization has not published any actual exploits in an effort to prevent abuse. The recent WannaCry ransomware attacks, which rely on exploits allegedly developed by the NSA and leaked by the Shadow Brokers, have demonstrated that leaking exploits developed by intelligence agencies could have serious consequences.

    Reply
  7. Tomi Engdahl says:

    WikiLeaks Dump Reveals CIA Malware That Can Sabotage User Software
    https://tech.slashdot.org/story/17/05/16/0250243/wikileaks-dump-reveals-cia-malware-that-can-sabotage-user-software?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    “While the world was busy dealing with the WannaCry ransomware outbreak, last Friday, about the time when we were first seeing a surge in WannaCry attacks, WikiLeaks dumped new files part of the Vault 7 series,” reports BleepingComputer. This time, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin. Both are malware frameworks, but of the two, the most interesting is AfterMidnight — a backdoor trojan for stealing data from infected PCs.

    WikiLeaks Dump Reveals CIA Malware That Can Sabotage User Software
    https://www.bleepingcomputer.com/news/security/wikileaks-dump-reveals-cia-malware-that-can-sabotage-user-software/

    This time around, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin, two very simplistic malware frameworks, allegedly developed and stolen from the CIA.

    AfterMidnight

    The first of the two is AfterMidnight. In simple terms, and based on the data contained in AfterMidnight’s documentation, this tool is a malware installed on a target’s PC as a DLL file that works as a backdoor.

    The DLL persists between PC reboots and connects to a C&C server via HTTPS, from where it downloads modules to execute. The manual refers to these modules under the name of Gremlins, or Gremlinware.

    To work, AfterMidnight needs a constant Internet connection because if the tool can’t reach its C&C server, it will not launch any of its modules into execution.

    Assassin

    The second manual included in last week’s WikiLeaks dump is for Assassin, a malware framework that is very similar to AfterMidnight.

    Assassin includes a builder, an implant, a command-and-control (C&C) server, and a listening post (an intermediary between the Assassin malware implant and the C&C server).

    The Assassin implant is designed to run as a service on the victim’s Windows computer and is used mainly for execution a precise series of tasks, collecting, and then exfiltrating user data, aka, your regular backdoor trojan behavior.

    Reply
  8. Tomi Engdahl says:

    WikiLeaks Details Malware Made by CIA and U.S. Security Firm
    http://www.securityweek.com/wikileaks-details-malware-made-cia-and-us-security-firm

    WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

    Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

    A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

    https://wikileaks.org/vault7/releases/#Athena

    Reply
  9. Tomi Engdahl says:

    CIA Tool ‘Pandemic’ Replaces Legitimate Files With Malware
    http://www.securityweek.com/cia-tool-pandemic-replaces-legitimate-files-malware

    Documents published by WikiLeaks on Thursday describe a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to spread malware on a targeted organization’s network.

    The tool, named “Pandemic,” installs a file system filter driver designed to replace legitimate files with a malicious payload when they are accessed remotely via the Server Message Block (SMB) protocol.

    What makes Pandemic interesting is the fact that it replaces files on-the-fly, instead of actually modifying them on the device the malware is running on. By leaving the legitimate file unchanged, attackers make it more difficult for defenders to identify infected systems.

    “Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file,” the tool’s developers said.

    https://wikileaks.org/vault7/#Pandemic

    Reply
  10. Tomi Engdahl says:

    WikiLeaks emits CIA’s Wi-Fi pwnage tool docs
    Spies do spying, part 78: Cherry Blossom malware gobbles up data flowing through routers
    https://www.theregister.co.uk/2017/06/15/wikileaks_dumps_cia_wifi_pwnage_tool_docs_online/

    Hundreds of commercial Wi-Fi routers are, or were, easily hackable by the CIA, according to classified files published today by WikiLeaks.

    The confidential US government documents describe the Cherry Blossom project, which is the framework by which CIA operatives can subvert wireless routers; install software that harvests email addresses, chat usernames, MAC addresses and VoIP numbers; and allow man-in-the-middle attacks and browser redirection.

    We’re told Cherry Blossom, or at least version 5 of it, allows agents to infect both wireless and wired access points by installing a firmware upgrade dubbed FlyTrap that can be put on the device without needing physical access to it.

    Flytrap can monitor internet traffic through the router, redirect web browser connections to websites that the CIA wants a target to see, proxy a target’s network connections, and harvest and copy data traffic. It then sends it all back to a command and control system called Cherry Tree.

    “The key component is the Flytrap, which is typically a wireless (802.11/WiFi) device (router/access point) that has been implanted with CB firmware,” the documents state.

    Cherry Blossom
    https://wikileaks.org/vault7/#Cherry%20Blossom

    15 June, 2017

    Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).

    CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.

    Reply
  11. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    WikiLeaks documents show how CIA infected WiFi routers from 10 manufacturers including D-Link and Linksys to monitor and manipulate traffic, infect more devices

    Advanced CIA firmware has been infecting Wi-Fi routers for years
    Latest Vault7 release exposes network-spying operation CIA kept secret since 2007.
    https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/

    Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That’s according to secret documents posted Thursday by WikiLeaks.

    CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it’s likely modifications would allow the implant to run on at least 100 more.

    The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a “FlyTrap” that beacons a CIA-controlled server known as a “CherryTree.” The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a “Mission” consisting of specific tasks tailored to the target. CIA operators can use a “CherryWeb” browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

    SRI-SLO-FF-2012-177-CherryBlossom_UsersManual_CDRL-12_SLO-FF-2012-171
    https://wikileaks.org/vault7/document/SRI-SLO-FF-2012-177-CherryBlossom_UsersManual_CDRL-12_SLO-FF-2012-171/

    Reply
  12. Tomi Engdahl says:

    How the CIA infects air-gapped networks
    Sprawling “Brutal Kangaroo“ spreads malware using booby-trapped USB drives.
    https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/

    Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected.

    More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren’t connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows.

    The infected USB drives were at least sometimes able to infect computers even when users didn’t open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked anytime a malicious file icon was displayed by the Windows explorer.

    Microsoft didn’t say when it patched the vulnerabilities exploited by Lachesis and RiverJack. Interestingly, Microsoft earlier this month patched a critical vulnerability that allowed so-called .LNK files stored on removable drives and remote shares to execute malicious code. Microsoft said in its advisory that the vulnerability was being actively exploited but didn’t elaborate.

    Brutal Kangaroo
    https://wikileaks.org/vault7/#Brutal%20Kangaroo

    Reply
  13. Tomi Engdahl says:

    Advanced CIA firmware has been infecting Wi-Fi routers for years
    Latest Vault7 release exposes network-spying operation CIA kept secret since 2007.
    https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/

    Reply
  14. Tomi Engdahl says:

    WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool
    http://www.securityweek.com/wikileaks-details-cias-air-gapped-network-hacking-tool

    WikiLeaks published several documents on Thursday detailing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack air-gapped networks through USB drives.

    Dubbed “Brutal Kangaroo,” it has been described by its developer as a tool suite designed for targeting closed networks. The infected systems will form a covert network, and the attacker will be able to obtain information and execute arbitrary files.

    One component of Brutal Kangaroo is called “Shattered Assurance” and it’s designed to automatically spread the tool to USB drives connected to a device within the targeted organization that was infected remotely via the Internet. Shattered Assurance relies on a tool named “Drifting Deadline” to infect thumb drives.

    Reply
  15. Tomi Engdahl says:

    WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool
    http://www.securityweek.com/wikileaks-details-cias-air-gapped-network-hacking-tool

    WikiLeaks published several documents on Thursday detailing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack air-gapped networks through USB drives.

    Dubbed “Brutal Kangaroo,” it has been described by its developer as a tool suite designed for targeting closed networks. The infected systems will form a covert network, and the attacker will be able to obtain information and execute arbitrary files.

    https://wikileaks.org/vault7/#Brutal%20Kangaroo

    Reply
  16. Tomi Engdahl says:

    Spies do spying, part 97: The CIA has a tool to track targets via Wi-Fi
    http://www.theregister.co.uk/2017/06/29/last_wikileaks_dump_had_wifi_tracking_tool/

    The latest cache of classified intelligence documents dumped online by WikiLeaks includes files describing malware CIA apparently uses to track PCs via Wi‑Fi.

    The Julian Assange-led website claims the spyware, codenamed ELSA, infects a target’s Windows computer and then harvests wireless network details to pinpoint the location of the machine.

    Reply
  17. Tomi Engdahl says:

    ‘HighRise’ Android Malware Used by CIA to Intercept SMS Messages
    http://www.securityweek.com/highrise-android-malware-used-cia-intercept-sms-messages

    WikiLeaks on Thursday published a user guide describing what appears to be a tool used by the U.S. Central Intelligence Agency (CIA) to intercept SMS messages on Android mobile devices.

    Named HighRise, the version of the malware described in the WikiLeaks document is disguised as an app called TideCheck, and it only works on Android versions between 4.0 and 4.3.

    https://wikileaks.org/vault7/document/HighRise-2_0-Users_Guide/HighRise-2_0-Users_Guide.pdf

    Reply
  18. Tomi Engdahl says:

    ‘Dumbo’ Tool Helps CIA Agents Disable Security Cameras
    http://www.securityweek.com/dumbo-tool-helps-cia-agents-disable-security-cameras

    The U.S. Central Intelligence Agency (CIA) has developed a tool that disables security cameras and corrupts recordings in an effort to prevent its agents from getting compromised, according to documents published on Thursday by WikiLeaks.

    The tool, dubbed “Dumbo,” is executed directly from a USB thumb drive by an operative who has physical access to the targeted device. Once executed, the program can mute microphones, disable network adapters, and suspend processes associated with video recording devices.

    Dumbo also informs its user of where those video recording processes store footage so that the files can be corrupted or deleted.

    The user guides made available by WikiLeaks — the latest version is dated June 2015 — show that the tool was developed in response to the need for a capability to disrupt webcams and corrupt recordings in an effort to prevent a PAG (Physical Access Group) deployment from getting compromised.

    PAG is a special branch within the CIA’s Center for Cyber Intelligence (CCI) and its role is to gain physical access to computers and exploit this access, WikiLeaks said.

    The tool, designed for Windows XP and newer versions of the Microsoft operating system, needs SYSTEM privileges to function correctly.

    “[The tool] identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator,” WikiLeaks said. “By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.”

    Dumbo developers pointed out that home security products (e.g. Kaspersky antivirus) may block some of the tool’s functions, and advised users to disable any protections before installation.

    https://wikileaks.org/vault7/#Dumbo

    Reply
  19. Tomi Engdahl says:

    This is How CIA Disables Security Cameras During Hollywood-Style Operations
    http://thehackernews.com/2017/08/surveillance-camera-hacking.html?m=1

    In last 20 years, we have seen hundreds of caper/heist movies where spies or bank robbers hijack surveillance cameras of secure premises to either stop recording or set up an endless loop for covert operations without leaving any evidence.
    Whenever I see such scenes in a movie, I wonder and ask myself: Does this happen in real-life?
    Yes, it does, trust me—at least CIA agents are doing this.

    WikiLeaks has just unveiled another classified CIA project, dubbed ‘Dumbo,’ which details how CIA agents hijack and manipulate webcams and microphones in Hollywood style “to gain and exploit physical access to target computers in CIA field operations.”

    Reply
  20. Tomi Engdahl says:

    CIA’s “CouchPotato” Collects Video Streams
    http://www.securityweek.com/cias-couchpotato-collects-video-streams

    WikiLeaks has published documents that describe a remote tool allegedly used by the U.S. Central Intelligence Agency (CIA) to collect RTSP/H.264 video streams.

    Dubbed “CouchPotato,” the tool can apparently be used to collect the stream as a video file (AVI), or to capture still images (JPG) of frames from the stream, as long as these frames are “of significant change from a previously captured frame.”

    To perform the video and image encoding and decoding operations, the tool leverages the free software project FFmpeg. However, many audio and video codecs, along with unnecessary features, have been removed from the FFmpeg version used by CouchPotato.

    To provide the tool with image change detection features, the pHash image hashing algorithm has been integrated into FFmpeg’s image2 demuxer. CouchPotato also uses RTSP connectivity and “relies on being launched in an ICE v3 Fire and Collect compatible loader,” the tool’s user guide published on WikiLeaks reveals (PDF).

    Thus, the use of this tool requires a loader that can support the ICE v3 specification

    Reply
  21. Tomi Engdahl says:

    WikiLeaks: CIA Secretly Collected Data From Liaison Services
    http://www.securityweek.com/wikileaks-cia-secretly-collected-data-liaison-services

    WikiLeaks has published another round of Vault 7 documents, this time describing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to secretly collect biometric data from the agency’s liaison services.

    The leaked documents, marked as “secret,” appear to reveal that the CIA’s Office of Technical Services (OTS) and Identity Intelligence Center (I2C), both part of the agency’s Directorate of Science and Technology, have provided liaison services with a system that collects biometric information.

    According to WikiLeaks, these liaison services include other U.S. government agencies, such as the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

    In order to ensure that liaison services share the collected biometric data, the CIA has developed a tool called ExpressLane, which secretly copies the data collected by the biometric software and disables this software if continued access is not provided to the agency.

    The documents show that ExpressLane is installed on the targeted system by an OTS officer claiming to perform an upgrade to the biometric system from a USB drive.

    Another feature of ExpressLane allows the agency to ensure that the biometric software is disabled after a specified number of days unless action is taken. When the tool is installed, a kill date, which specifies when the biometric software will stop functioning, is set (the default value is 6 months in the future). If an agent does not return with the ExpressLane USB drive within that period, the license for the biometric software expires. Whenever ExpressLane is run on the targeted system, the kill date is extended.

    Reply
  22. Tomi Engdahl says:

    The CIA built a fake software update system to spy on intel partners
    https://www.theverge.com/2017/8/24/16197694/cia-fake-software-update-hacking-wikileaks-vault-7

    Anyone relying on the CIA for tech support got a nasty surprise this morning, as documents published by Wikileaks revealed a secret project to siphon out data through its technical liaison service, dating back to 2009.

    The program, called ExpressLane, is designed to be deployed alongside a biometric collection system that the CIA provides to partner agencies. In theory, those partners are agreeing to provide the CIA with access to specific biometric data — but on the off-chance those partners are holding out on them, ExpressLane gives the agency a way to take it without anyone knowing.

    ExpressLane masquerades as a software update, delivered in-person by CIA technicians — but the documents make clear that the program itself will remain unchanged. Instead, the program siphons the system’s data to a thumb drive, where agents can examine it to see if there’s anything the partner system is holding back. If the partners refuse the phony update, there’s a hidden kill-switch that lets agents shut down the entire system after a set period of time, requiring an in-person visit to restore the system.

    Reply
  23. Tomi Engdahl says:

    CIA’s “AngelFire” Modifies Windows’ Boot Sector to Load Malware
    http://www.securityweek.com/cias-angelfire-modifies-windows-boot-sector-load-malware

    Wikileaks on Thursday published documents detailing AngelFire, a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to load and execute implants on Windows-based systems.

    Similar to other “Vault7” tools that Wikileaks unveiled over the past several months, such as Grasshopper and AfterMidnight, AngelFire is a persistent framework targeting computers running Windows XP and Windows 7.

    According to the published documents, the framework consists of five components: Solartime, Wolfcreek, Keystone (previously called MagicWand), BadMFS, and the Windows Transitory File system.

    Solartime was designed to modify the partition boot sector so as to load the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a self-loading driver that can load additional drivers and user-mode applications after execution. By loading additional implants, memory leaks that could be detected on infected machines are created.

    https://wikileaks.org/vault7/#Angelfire

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*