Malware News CIA Developed Windows Malware That Alters Boot Sector to Load More Malware

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
WikiLeaks published today documentation on the CIA Angelfire project, a malware framework developed to infect Windows computers.

According to a leaked CIA manual, Angelfire is made up of five components, each with its own purpose:

Solartime - Malware that modifies the boot sector to load Wolfcreek.
Wolfcreek - Self-loading driver that can load other drivers and user-mode applications.
Keystone - Component that's responsible for starting other implants (technical term for malware).
BadMFS - a covert file system that is created at the end of the active partition. AngelFire uses BadMFS to store all other components. All files are obfuscated and encrypted.
Windows Transitory File System - a newer component that's an alternative to BadMFS. Instead of storing files on a secret file system, the component uses transitory (temporary) files for the storage system.
According to leaked documents, Angelfire works on 32-bit and 64-bit versions of Windows XP and Windows 7, and on 64-bit versions of Windows Server 2008 R2.

Not the CIA's best work
The Angelfire framework is just another tool in the CIA's arsenal for hacking Windows users. Previous tools include Grasshopper, ELSA, AfterMidnight, and Assassin.

Compared to other tools, Angelfire doesn't appear to be that polished. The leaked documents include a long list of issues.

For example, security products could detect the presence of a BadMFS file system by a file named "zf" and users may see popup alerts when one of the Angelfire components crash.

In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, cannot dynamically adjust this path if Windows is installed on another partition (e.g.: D:\), and DLL persistence on XP is not supported. All in all, this is not the CIA's best work.

Read More. CIA Developed Windows Malware That Alters Boot Sector to Load More Malware
 
D

Deleted member 65228

Self-loading driver that can load other drivers and user-mode applications.
I wonder if they just inject shell-code into an existent process from kernel-mode which will be responsible for getting addresses of process-related functions and using them to start whichever process they needed ran.

In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, cannot dynamically adjust this path if Windows is installed on another partition (e.g.: D:\), and DLL persistence on XP is not supported. All in all, this is not the CIA's best work.
They could have just not used a process at all... Relied on the kernel-mode device driver and using other running trusted programs to run their code instead. I am disappointed considering this is CIA! :oops:
 
Last edited by a moderator:

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
I am not too worried about being spied on.
*I feel safer here in the US than abroad that's for sure.
*(personal opinion in terms of the spy paranoia and not a political opinion)
They are looking at bigger fish than the average Joe.
I don't bother reading WikiLeaks documents anymore as most of it will never affect the general population as a whole.
 

Fritz

Level 11
Verified
Top Poster
Well-known
Sep 28, 2015
543
I am not too worried about being spied on.
Same here. I seal envelopes instead of using postcards, wear clothes even though the weather doesn't call for it and apply the same principle naturally to all things Internet-related just as well.

They are looking at bigger fish than the average Joe.
Then they're looking in the wrong spot, considering they're reading everybody's mail and everybody's traffic.

I don't bother reading WikiLeaks documents anymore as most of it will never affect the general population as a whole.
That's the thing, most of them affect the entire population instead of concentrating on the appropriate targets. I have no idea what happened to calling a judge in order to listen in to landline, it used to be a rule that a certain amount of reasonable suspicion was needed for an order. It just won't get into my head why different principles would/should apply to the Internet…
 
Last edited:

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
I really hope that the actions of the CIA are not made randomly, but they are mainly aimed to specific targets.
Of course, the task of the CIA (and every intelligence agency), is to spy on, as it has always been. So it is not a surprise that the action's field of these agencies, is the technology in all of its applications.
 
F

ForgottenSeer 58943

I really hope that the actions of the CIA are not made randomly, but they are mainly aimed to specific targets.
Of course, the task of the CIA (and every intelligence agency), is to spy on, as it has always been. So it is not a surprise that the action's field of these agencies, is the technology in all of its applications.

CIA isn't always about spying for the sake of spying - in many cases it's about control. The CIA learned long ago that spying is great, but to control someone with the information gathered is vastly more powerful. CIA is largely a self-serving, parasitical entity operating nearly like their own faction within our borders utilizing a myriad set of tricks to operate outside of their restrictive mandate. The CIA has demonstrated a willingness to turn their tools inward to the very people that fund them (Tax Payers) when it is necessary for the preservation of the parasite. That's what everyone should be concerned about. When people talk about the deep state or shadow govt. they are generally referring to the CIA.

You can spot the factions in action. For example the current administration is decidedly against the CIA. To protect himself and his administration he aligned with the military. Whereas the previous administration was largely made up of CIA assets working very closely with the chief CIA asset himself. It's kind of interesting to watch these power plays in action when you think about it. A keen observer could see the CIA and NSA losing power over the next few years.

Pentagon mulling split of NSA, Cyber Command
 
Last edited by a moderator:
F

ForgottenSeer 58943

Even more worrying - and in related news.. Oversight committees are staffed by ex-spooks and committee members seem to be operating in fear. This, perhaps, is a growing threat to the functioning of our country. (IMO)

Intelligence Committees lean on ex-spies to oversee spy agencies
But there’s no question that lawmakers both fear and respect the intelligence community, particularly its ability to monitor conversations. One senator, discussing a highly sensitive matter involving potential political corruption, declined to utter names aloud, preferring to jot them down on a piece of paper for a reporter to see, clearly concerned that monitoring was occurring.

I was actually pressured one time to go along with the agency’s analysis even though I’d been off the agency staff for several years. I was sort of appalled that they tried to twist my arm as a former analyst.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top