• WikiLeaks Reveals "Archimedes": Malware Used To Hack Local Area Network

    From Virus Guy@1:396/4 to All on Thu May 4 23:28:20 2017
    From: Virus Guy <Virus@Guy.C0M>

    WikiLeaks Reveals "Archimedes": Malware Used To Hack Local Area Networks


    May 5, 2017 8:55 AM

    In its seventh CIA leak since March 23rd, WikiLeaks has just revealed
    the user manual of a CIA hacking tool known as ‘Archimedes' which is purportedly used to attack computers inside a Local Area Network (LAN).
    The CIA tool works by redirecting a target's webpage search to a CIA
    server which serves up a webpage that looks exactly like the original
    page they were expecting to be served, but which contains malware. It's
    only possible to detect the attack by examining the page source.

    https://wikileaks.org/vault7/document/Archimedes-1_0-User_Guide/ https://wikileaks.org/vault7/document/Archimedes-1_3-Addendum/ https://wikileaks.org/vault7/document/Archimedes-1_2-Addendum/ https://wikileaks.org/vault7/document/Archimedes-1_1-Addendum/ https://wikileaks.org/vault7/document/Fulcrum-User_Manual-v0_62/

    See also:


    Per WikiLeaks:

    Today, May 5th 2017, WikiLeaks publishes "Archimedes", a tool used
    by the CIA to attack a computer inside a Local Area Network (LAN),
    usually used in offices. It allows the re-directing of traffic from the
    target computer inside the LAN through a computer infected with this
    malware and controlled by the CIA. This technique is used by the CIA to redirect the target's computers web browser to an exploitation server
    while appearing as a normal browsing session.

    The document illustrates a type of attack within a "protected
    environment" as the the tool is deployed into an existing local network
    abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.

    RELEASE: CIA '#Archimedes' system for exfiltration and browser
    hijacking. Includes manuals and binary signatures.
    https://t.co/XWr33GMGDN pic.twitter.com/TEyhABJvbO

    — WikiLeaks (@wikileaks) May 5, 2017

    The RT provided more details:

    The Archimedes tool enables traffic from one computer inside the LAN
    to be redirected through a computer infected with this malware and
    controlled by the CIA, according to WikiLeaks.

    The technique is used to redirect the target's computer web browser
    to an exploitation server while appearing as a normal browsing session,
    the whistleblowing site said. In this way, the hackers gain an entry
    point that allows them access to other machines on that network.

    The tool's user guide, which is dated December 2012, explains that
    it's used to re-direct traffic in a Local Area network (LAN) from a
    "target's computer through an attacker controlled computer before it is
    passed to the gateway.”

    This allows it to insert a false web-server response that redirects
    the target's web browser to a server that will exploit their system all
    the while appearing as if it's a normal browsing session.

    Archimedes is an update to a tool called ‘Fulcrum' and it offers several improvements on the previous system, including providing a method of "gracefully shutting down the tool on demand.”

    How is US government malware developed? WikiLeaks' release today of
    the CIA's 'Fulcrum' malware shows how https://t.co/wrke6MC5ex pic.twitter.com/R5tO7dVYPz

    — WikiLeaks (@wikileaks) May 5, 2017

    Wikileaks Vault 7 releases:


    Released so far:

    Archimedes - 5 May, 2017

    Scribbles - 28 April, 2017

    Weeping Angel - 21 April, 2017

    Hive - 14 April, 2017

    Grasshopper - 7 April, 2017

    Marble Framework - 31 March, 2017

    Dark Matter - 23 March, 2017


    28 April, 2017

    Today, April 28th 2017, WikiLeaks publishes the documentation and source
    code for CIA's "Scribbles" project, a document-watermarking
    preprocessing system to embed "Web beacon"-style tags into documents
    that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and
    classified SECRET//ORCON/NOFORN until 2066.

    Scribbles is intended for off-line preprocessing of Microsoft Office
    documents. For reasons of operational security the user guide demands
    that "[t]he Scribbles executable, parameter files, receipts and log
    files should not be installed on a target machine, nor left in a
    location where it might be collected by an adversary."

    According to the documentation, "the Scribbles document watermarking
    tool has been successfully tested on [...] Microsoft Office 2013 (on
    Windows 8.1 x64), documents from Office versions 97-2016 (Office 95
    documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password-protected". But this limitation to Microsoft
    Office documents seems to create problems: "If the targeted end-user
    opens them up in a different application, such as OpenOffice or
    LibreOffice, the watermark images and URLs may be visible to the
    end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you
    are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and
    evaluate them in the likely application before deploying them."

    Security researches and forensic experts will find more detailed
    information on how watermarks are applied to documents in the source
    code, which is included in this publication as a zipped archive.

    Leaked Documents

    Scribbles v1.0 RC1 - User Guide
    Scribbles (Source Code)
    Scribbles v1.0 RC1 - IVVRR Checklist
    Scribbles v1.0 RC1 - Readiness Review Worksheet


    Weeping Angel
    21 April, 2017

    Today, April 21st 2017, WikiLeaks publishes the User Guide for CIA's
    "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from the MI5/BTSS, the
    implant is designed to record audio from the built-in microphone and
    egress or store the data.

    The classification marks of the User Guide document hint that is was
    originally written by the british MI5/BTSS and later shared with the
    CIA. Both agencies collaborated on the further development of the
    malware and coordinated their work in Joint Development Workshops.

    Leaked Documents
    Extending - User Guide


    14 April, 2017

    Today, April 14th 2017, WikiLeaks publishes six documents from the CIA's
    HIVE project created by its "Embedded Development Branch" (EDB).

    HIVE is a back-end infrastructure malware with a public-facing HTTPS
    interface which is used by CIA implants to transfer exfiltrated
    information from target machines to the CIA and to receive commands from
    its operators to execute specific tasks on the targets. HIVE is used
    across multiple malware implants and CIA operations. The public HTTPS
    interface utilizes unsuspicious-looking cover domains to hide its

    Anti-Virus companies and forensic experts have noticed that some
    possible state-actor malware used such kind of back-end infrastructure
    by analyzing the communication behaviour of these specific implants, but
    were unable to attribute the back-end (and therefore the implant itself)
    to operations run by the CIA. In a recent blog post by Symantec, that
    was able to attribute the "Longhorn" activities to the CIA based on the
    Vault 7, such back-end infrastructure is described:

    For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by
    the attackers; however they use privacy services to hide their real
    identity. The IP addresses are typically owned by legitimate companies
    offering virtual private server (VPS) or webhosting services. The
    malware communicates with C&C servers over HTTPS using a custom
    underlying cryptographic protocol to protect communications from identification.

    The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication
    between malware implants and back-end servers used in previous illegal activities.

    Leaked Documents
    Users Guide
    Developers Guide
    Developers Guide (Figures)
    Hive Beacon Infrastructure
    Hive Infrastructure Installation and Configuration Guide


    7 April, 2017

    Today, April 7th 2017, WikiLeaks releases Vault 7 "Grasshopper" -- 27
    documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.

    Grasshopper is provided with a variety of modules that can be used by a
    CIA operator as blocks to construct a customized implant that will
    behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are
    selected in the process of building the bundle. Additionally,
    Grasshopper provides a very flexible language to define rules that are
    used to "perform a pre-installation survey of the target device,
    assuring that the payload will only [be] installed if the target has the
    right configuration". Through this grammar CIA operators are able to
    build from very simple to very complex logic used to determine, for
    example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

    Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption).
    The requirement list of the Automated Implant Branch (AIB) for
    Grasshopper puts special attention on PSP avoidance, so that any
    Personal Security Products like 'MS Security Essentials', 'Rising',
    'Symantec Endpoint' or 'Kaspersky IS' on target machines do not detect Grasshopper elements.

    One of the persistence mechanisms used by the CIA here is 'Stolen Goods'
    - whose "components were taken from malware known as Carberp, a
    suspected Russian organized crime rootkit." confirming the recycling of
    malware found on the Internet by the CIA. "The source of Carberp was
    published online, and has allowed AED/RDB to easily steal components as
    needed from the malware.". While the CIA claims that "[most] of Carberp
    was not used in Stolen Goods" they do acknowledge that "[the]
    persistence method, and parts of the installer, were taken and modified
    to fit our needs", providing a further example of reuse of portions of
    publicly available malware by the CIA, as observed in their analysis of
    leaked material from the italian company "HackingTeam".

    The documents WikiLeaks publishes today provide an insights into the
    process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers,
    providing directions for those seeking to defend their systems to
    identify any existing compromise

    Leaked Documents


    Marble Framework
    31 March, 2017

    Today, March 31st 2017, WikiLeaks releases Vault 7 "Marble" -- 676
    source code files for the CIA's secret anti-forensic Marble Framework.
    Marble is used to hamper forensic investigators and anti-virus companies
    from attributing viruses, trojans and hacking attacks to the CIA.

    Marble does this by hiding ("obfuscating") text fragments used in CIA
    malware from visual inspection. This is the digital equivallent of a
    specalized CIA tool to place covers over the english language text on
    U.S. produced weapons systems before giving them to insurgents secretly
    backed by the CIA.

    Marble forms part of the CIA's anti-forensics approach and the CIA's
    Core Library of malware code. It is "[D]esigned to allow for flexible
    and easy-to-use obfuscation" as "string obfuscation algorithms
    (especially those that are unique) are often used to link malware to a
    specific developer or development shop."

    The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a
    pattern or signature emerges which can assist forensic investigators
    attribute previous hacking attacks and viruses to the CIA. Marble was in
    use at the CIA during 2016. It reached 1.0 in 2015.

    The source code shows that Marble has test examples not just in English
    but also in Chinese, Russian, Korean, Arabic and Farsi. This would
    permit a forensic attribution double game, for example by pretending
    that the spoken language of the malware creator was not American
    English, but Chinese, but then showing attempts to conceal the use of
    Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake
    error messages.

    The Marble Framework is used for obfuscation only and does not contain
    any vulnerabilties or exploits by itself.

    Leaked Documents
    Marble Framework (Source Code)


    Dark Matter
    23 March, 2017

    Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac
    firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB).
    These documents explain the techniques used by CIA to gain 'persistence'
    on Apple Mac devices, including Macs and iPhones and demonstrate their
    use of EFI/UEFI and firmware malware.

    Among others, these documents reveal the "Sonic Screwdriver" project
    which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even
    when a firmware password is enabled". The CIA's "Sonic Screwdriver"
    infector is stored on the modified firmware of an Apple
    Thunderbolt-to-Ethernet adapter.

    "DarkSeaSkies" is "an implant that persists in the EFI firmware of an
    Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.

    Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and
    its EFI-persistent version "DerStarke" are also included in this
    release. While the DerStarke1.4 manual released today dates to 2013,
    other Vault 7 documents show that as of 2016 the CIA continues to rely
    on and update these systems and is working on the production of

    Also included in this release is the manual for the CIA's "NightSkies
    1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is
    that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been
    infecting the iPhone supply chain of its targets since at least 2008.

    While CIA assets are sometimes used to physically infect systems in the
    custody of a target it is likely that many CIA physical access attacks
    have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
    --- NewsGate v1.0 gamma 2
    * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)