Malware analysis

Vault 7 Data Leak: Analyzing the CIA files

Pierluigi Paganini
July 20, 2017 by
Pierluigi Paganini

Digging the Vault 7 dumps

In a first post on the Vault7 dump, we analyzed the information contained in files leaked by Wikileaks and allegedly originating from a network of the U.S. Central Intelligence Agency (CIA).

At the time, we analyzed the following CIA projects:

  • The Year Zero that revealed CIA hacking exploits for hardware and software.
  • The Dark Matter dump containing iPhone and Mac hacking exploits.
  • The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber-attacks.
  • The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft's Windows and bypassing antivirus protection.
  • The Scribbles Project for document tracking
  • The Archimedes MiTM hacking tool.

Below the list of documents published by Wikileaks since March:

Let's go ahead with the remaining projects starting with the AfterMidnight project.

AfterMidnight – 12 May 2017

On May 12, WikiLeaks published the documentation related to two malware platforms codenamed AfterMidnight and Assassin designed by the CIA to create custom malware for Windows systems.

Both AfterMidnight and Assassin platforms implement classic backdoor features that allowed the CIA to take control over the targeted systems.

The AfterMidnight malware framework allows CIA operators to dynamically load and execute malicious payload on a target system.

The principal payload is disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes small payloads dubbed "Gremlins" that are able to subvert the functionality of targeted software, gather target's information, or providing services for other gremlins.

"'Gremlin' is the term for an AM payload that is meant to run hidden on target and either:

  • Subvert the functionality of targeted software.
  • Provided basic survey/exfil.
  • Provide internal services for other gremlins" states the documentation.

Figure 1 - AfterMidnight Documentation Leaked by Wikileaks

AfterMidnight leverages an HTTPS-based Listening Post (LP) system called "Octopus" to check for any scheduled events, every time a new one is created the malware framework downloads and stores all required components before loading all new gremlins in the memory.

The documents include the AfterMidnight user guide, below the description provided by the manual for the malware platform:

"AfterMidnight is a DLL that self-persists as a Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based LP. Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute," reads the guide. "If there is, it downloads and stores all needed components before loading all new gremlins in memory. All local storage is encrypted with an "LP" key that is not stored on the client. If AM is unable to contact the LP, it will be unable to execute any payload."

The local storage used by the AfterMidnight is encrypted with a key which is not stored on the target machine.

CIA operators can schedule a custom task using a custom script language included in a special module "AlphaGremlin."

The AfterMidnight manual also includes two examples of how to use the malware created by the platform. One example shows how to create a malicious code that prevents the user from using his browser to force it spending more time on his work applications, and allows CIA agents to collect more data. The example includes configurations samples that will kill all Internet Explorer and Firefox executables every 30 seconds.

The second example shows how to create AfterMidnight sample to "annoy the [...] target whenever they use PowerPoint (because face it, they deserve it for using PP)."

The Assassin malware platform is similar to the AfterMidnight, it allows CIA operators to control the target systems.

"" Assassin" is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. "Assassin" (just like "AfterMidnight") will then periodically beacon to its configured listening post(s) to request tasking and deliver results," states WikiLeaks. "Communication occurs over one or more transport protocols as configured before or during deployment. The "Assassin" C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as" The Gibson" and allow operators to perform specific tasks on an infected target."

The tool runs the implant within a Windows service process, it operated as a collection platform on remote computers for Windows PCs.

The user guide describes the four components of the Assassin malware framework.

  • The 'Implant' provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution.
  • The 'Builder' configures the Implant component.
  • The 'Command and Control' subsystem acts as an interface between the operator and the Listening Post (LP).
  • The Listening Post (LP) allows the Assassin Implant to communicate with the command and control subsystem through a web server.

Athena – 19 May 2017

A couple of weeks later, Wikileaks published a new batch of documents from the CIA Vault 7 dump related to a spyware framework dubbed Athena /Hera. The documents state the Athena / Hera malware was used by the US intelligence to take remote control over the infected Windows machines.

The dump includes a user manual for the Athena platform, an overview of the technology, and a demo on how to use the malware.

Cia operators have developed two spywares to spy on Windows systems, Athena to target machines running XP OS through Windows 10 and Hera that works for Windows 8 through Windows 10.

"The Athena System fulfills COG/NOD's need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10." reads the system overview included in the user guide. "Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post."

The Athena spyware was written in Python, it seems to be dated back August 2015, if confirmed it is worrying news because Microsoft released Windows 10 in July 2015.

Athena was developed by the CIA experts in a joint effort with malware coders at cyber security firm Siege Technologies that is specialized in offensive cyber security.

"Athena is a beacon loader developed with Siege Technologies. At the core, it is a very simple implant application. It runs in user space and beacons from the srvhost process. The following diagram shows the concept of operation." states the Athena Technology Overview.

The Athena spyware is able to modify its configuration in real time, a feature that allows it to be tailored for a specific operation.

"Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system," WikiLeaks claims.

Figure 2 - Athena spyware scheme (Vault 7)

The leaked documents did not provide any info regarding the operations being conducted by the CIA by using the Athena spyware, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Pandemic – 1 June 2017

June began with the release of a new batch of five documents from the Vault7 archive related to another CIA project codenamed 'Pandemic.'

The Pandemic CIA project is a Windows persistent implant that share files (programs) with remote users in a local network. The implant could be used to infect remote users by replacing application code on-the-fly with a trojanized version if the application is retrieved from the infected machine.

The implant transforms file servers into machines that infect PCs which access them remotely.

"Today, June 1st, 2017, WikiLeaks publishes documents from the "Pandemic" project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users on a local network." reads the description published by Wikileaks." 'Pandemic' targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine."

A computer on a local network with shared drives that is infected with the Pandemic implant is the medical equivalent of a Patient Zero in Medical science that spreads a disease. It will compromise remote computers if the user executes applications stored on the pandemic file server.

The installation of the implant is very rapid, according to the documents it just takes between 10 to 15 seconds.

According to the documents, Pandemic is installed as a minifilter device driver, it is likely the implant would have to be signed by a valid digital certificate to be installed, another possibility is that the malicious code is installed using an exploit that eludes the code-signing checks. The driver-signing restriction and other technical details, he said, give the impression the tool isn't in widespread use.

"This code looks like it was developed with a very specific use in mind," Jake Williams, former NSA TAO hacker, told Ars Technica. "Many larger organizations don't use Windows file servers to serve files. They use special built storage devices (network attached storage). My guess here would be that this was designed to target a relatively small organization."

The Pandemic implant doesn't change the file on the infected system when victims request a file from it, it just delivers them a trojanized replacement of the legitimate application.

According to the documentation, the Pandemic implant is able to replace up to 20 programs, with a maximum size of 800MB.

"Pandemic is a tool which is run as kernel shellcode to install a file system filter driver. The filter will 'replace' a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write)." reads the Pandemic Implant tool summary. "Pandemic will not 'replace' the target file when the target file is opened on the machine Pandemic is running on. The goal of Pandemic is to be installed on a machine where remote users use SMB to download/execute PE files. (S//NF) Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the 'replacement' file."

The documentation does not provide information about the infection process, it is not specified if infected machines become new pandemic servers.

Cherry Blossom  – 15 June 2017

The Cherry Blossom framework was developed by the CIA under the 'Cherry Bomb' project, along with experts at the Stanford Research Institute (SRI International), for hacking into Wi-Fi devices, including hundreds of home router models.

Cherry Blossom is a remotely controllable firmware-based implant for wireless networking devices, it could be used to compromise routers and wireless access points (APs) by triggering vulnerabilities to gain unauthorized access and load the custom Cherry Blossom firmware.

"The Cherry Blossom (CB) system provides a means of monitoring the internet activity of and performing software exploits on targets of interest. In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points (APs), to achieve these goals"  states the user manual.

"An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." reads the CherryBlossom — User's Manual (CDRL-12). "The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection," WikiLeaks says.

The CherryBlossom is composed of four main components:

  • FlyTrap – beacon (compromised firmware) that runs on compromised device that communicates with the CherryTree C&C  server.
  • CherryTree – C&C server that communicates with FlyTrap
  • CherryWeb – web-based admin panel running on CherryTree
  • Mission – a set of tasks sent by the C&C server to infected devices

CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices.

Figure 3 - CherryBlossom Project

FlyTrap could perform the following malicious tasks:

  • Monitoring network traffic to gather data of interest such as email addresses, MAC addresses, VoIP numbers, and chat user names.
  • Hijack users to malicious websites.
  • Injecting malicious content into the data traffic to deliver malware.
  • Setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation

The CherryTree C&C server must be located in a secure sponsored facility and deployed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
The documents leaked by Wikileaks include a list of more 200 router models that could be hacked with the CherryBlossom implant, experts noticed that most of them are older models from various vendors, including Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.

For the full list of devices included in a WikiLeaks document.

ELSA malware  – 28 June 2017

Elsa is a malware detailed in the documents leaked by WikiLeaks on June 28, it was designed by the. CIA to track people's locations via their Wi-Fi-enabled devices.

The Elsa malware implements a geolocation technique to track targets via Wi-Fi devices, it scans visible Wi-Fi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.

The leaked dump includes a user manual dated September 2013, the documents don't include information about any improvement for the malicious code.

Figure 4 - Elsa Malware

The data recorded by the ELSA malware is encrypted and logged, CIA agents can access them only manually retrieving the log by connecting to the Wi-Fi connected device. When the device is connected online, the malware leverages public geolocation databases from Google or Microsoft to resolve the position.

"ELSA is a geolocation malware for Wi-Fi-enabled devices like laptops running the Microsoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible Wi-Fi access points and records the ESS identifier, MAC address and signal strength at regular intervals." reads the post published by Wikileaks. "To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled Wi-Fi device. If it is connected to the internet, the malware automatically tries to use public geolocation databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geolocation information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead, the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors."

The documents report the malware also works when the Wi-Fi enabled device is offline or isn't connected to an access point.

The data is encrypted and logged, and the malware's operator can manually retrieve the logs by connecting to the infected device. The ELSA malware could be customized by CIA operators to match the target environment and mission objectives.

"The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, the maximum size of the logfile and invocation/persistence method," continues WikiLeaks. "Additional back-end software (again using public geolocation databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geolocation data to create a tracking profile of the target device."


OutlawCountry  – 30 June 2017

Since March, all the documents leaked by Wikileaks from Vault7 detailed tools and hacking techniques to hack into Windows systems, on June 30, the organization published new files from the Vault 7 leak detailing a CIA tool dubbed OutlawCountry used by the agency to remotely spy on computers running Linux operating systems.

The OutlawCountry tool was designed to redirect all outbound network traffic on the targeted computer to CIA controlled systems for exfiltrate and infiltrate data. The core of the tool is a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.

The principal limitation of this tool is that the kernel module only works with compatible Linux kernel below the list of prerequisites included in the documentation:

  • (S//NF) The target must be running a compatible 64-bit version of CentOS/RHEL 6.x
    (kernel version 2.6.32).
  • (S//NF) The Operator must have shell access to the target.
  • (S//NF) The target must have a "nat" Netfilter table

The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.

"The OutlawCountry tool consists of a kernel module for Linux 2.6. The Operator loads the module via shell access to the target. When loaded, the module creates a new Netfilter table with an obscure name. The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known." reads the OutlawCountry User Manual. "When the Operator removes the kernel module, the new table is also removed."

In the following diagram, the CIA operator loads OutlawCountry on the target (TARG_1), then he may add hidden iptables rules to modify network traffic between the WEST and EAST networks. For example, packets that should be routed from WEST_2 to EAST_3 may be redirected to EAST_4.

Figure 5 - OutlawCountry tool

The manual doesn't include information related to the way the attacker injects the kernel module in the targeted Linux OS. It is likely, the cyber spies leverage multiple hacking tools and exploits in its arsenal to compromise the target running the Linux operating system.

The OutlawCountry contains just one kernel module for 64-bit CentOS/RHEL 6.x that makes possible injection only in default Linux kernel.

"(S//NF) OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x.

This module will only work with default kernels. Also, OutlawCountry v1.0 only

supports adding covert DNAT rules to the PREROUTING chain." continues the manual leaked by WikiLeaks.


BothanSpy and Gyrfalcon  – 06 July 2017

The last batch of documents published by WikiLeaks from the Vault7 dump details two new CIA implants alleged used by the agency to intercept and exfiltrate SSH (Secure Shell) credentials from both Windows and Linux operating systems with different attack vectors.

The first implant codenamed BothanSpy was developed to target Microsoft Windows Xshell client, the second one named Gyrfalcon was designed to target the OpenSSH client on various Linux distros, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.

BothanSpy and Gyrfalcon are able to steal user credentials for all active SSH sessions and then sends them back to CIA cyber spies.

BothanSpy is installed as a Shellterm 3.x extension on the target machine, it could be exploited by attackers only when Xshell is running on it with active sessions.

Xshell is a terminal emulator that supports SSH, SFTP, TELNET, RLOGIN, and SERIAL for delivering industry leading features including a tabbed environment, dynamic port forwarding, custom key mapping, user defined buttons, VB scripting, and UNICODE terminal for displaying 2-byte characters and international language support.

"BothanSpy only works if Xshell is running on the target, and it has active sessions. Otherwise, Xshell is not storing credential information in the location BothanSpy will search." reads the user manual.

"to use BothanSpy against targets running an x64 version of Windows, the loader being used must support Wow64 injection. Xshell only comes as an x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended. "

The second implant codenamed Gyrfalcon works on Linux systems (32 or 64-bit kernel), CIA hackers use a custom malware dubbed JQC/KitV rootkit for persistent access.

The implant could collect full or partial OpenSSH session traffic, it stores stolen information in a local encrypted file for later exfiltration.

"Gyrfalcon is an SSH session "sharing" tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (including login credentials), as well as execute
commands on behalf of the legitimate user on the remote host " reads the user manual of Gyrfalcon v1.0.

"The tool runs in an automated fashion. It is configured in advance, executed on the remote host, and left running. Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data."

Wikileaks also published the user guide for Gyrfalcon v2.0, the implant is composed of two compiled binaries that should be uploaded by attackers to the target platform.

"The target platform must be running the Linux operating system with either 32- or 64-bit kernel and libraries. Gyrfalcon consists of two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file." continues the malware.

"Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform."

References Blossom

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.