CIA hacking tools and malware frameworks

WannaCry ransomware attacks were just other cyberattacks that it took advantage of systems unpatched. However, I think the leaks published by WikiLeaks are more important than WannaCry because they allow governments, not our government but US government, to have access to our devices. Sixteen leaks have already been published this year by WikiLeaks where we can find hacking tools, malware frameworks, etc that if they are stolen by someone and they are used with malicious intentions, something dangerous can happen worldwide. This week, I want to write about latest leaks published by WikiLeaks.

Last leak was about the Athena project where the CIA, along with Siege Technologies, developed a system to get into Microsoft Windows operating systems (from Windows XP to Windows 10 and including Windows Server 2012) for retrieving files or sending files to target systems and also to unload/load malicious payloads into memory. Two versions were released, Athena and Hera, last one for new operating systems like Windows 8.1 and Windows 10. It means, CIA can have access to most of the Windows devices because there haven't been any Windows update since then.

Athena Concept of Operation

 

Another and recently interesting leak is the two CIA malware frameworks for the Microsoft Windows platform, called After Midnight and Assassin. Both are designed as a backdoor malware which are able to download “Gremlins” into target systems via “Octopus”. Gremlins are Windows exploits for particular tasks that CIA operators upload to target systems on demand, for instance to search certain personal data. While the Octopus system is the HTTPS server or C2 system (Command and Control) for deploying Gremlins and retrieving information. Again, these two malware are for Windows machines.

AfterMidnight malware

 

Man in the middle attacks are well-known by most security engineers and CIA are also developed a tool to attack computers using this technique. This tool is called Archimedes and it is for Windows XP, Vista or 7, while the target machine can be whatever operating systems running on the same Ethernet LAN. Therefore, Windows machines with Archimedes are pivot systems which are able to perform man in the middle attacks to monitor and log HTTP requests from the target machine and even redirect those requests to desired IPs and domains.

ARP SPOOF

 

There are many leaks lately but I would like to highlight too the Scribbles project. It is a document-watermarking preprocessing system that allow CIA to track and identify who has opened or copied a file with the aim of tracking and identifying insiders or whistleblowers. Once a Microsoft Office document is opened, there is an interaction between the tracking server and the file to know if the document is a new one, the same or have been modifications. As a result, the tracking server has records with the IP address of the PC, the files opened, copied, modified, etc.

Scribbles tracking system

 

From time to time we don't know if these projects are for surveillance or espionage but what we do know is that an malicious use of these tools grant a great power.

Be careful, take care my friends!