WikiLeaks reveals 'AfterMidnight' & 'Assassin' CIA Windows Malware Frameworks

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
When the world was dealing with the appalling threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.

Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.

'AfterMidnight' Malware Framework
AfterMidnight allows its operators to dynamically load and execute malicious payload on a target system.

The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes "Gremlins" – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins.

Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called "Octopus" to check for any scheduled events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory.


According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine.

'Assassin' Malware Framework
Assassin is similar to AfterMidnight and described as "an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system."

Once installed on the target computer, this tool runs the implant within a Windows service process, allowing the operators to perform malicious tasks on an infected machine, just like AfterMidnight.

Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.
The 'Implant' provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution.
The 'Builder' configures Implant and 'Deployment Executables' before deployment and "provides a custom command line interface for setting the Implant configuration before generating the Implant"
The 'Command and Control' subsystem acts as an interface between the operator and the Listening Post (LP), while the LP allows the Assassin Implant to communicate with the command and control subsystem through a web server.

Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).

This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA held, but "The Shadow Brokers" subsequently leaked it over a month ago.

Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.

More about the Vault 7 leaks

Since March, 8 batches of "Vault 7" series have been published, which includes the latest and last week leaks, along with the following batches:
  • Year Zero – dumped CIA hacking exploits for popular hardware and software.
  • Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
  • Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
  • Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
  • Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
  • Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Such an ingenious and diverse portfolio and results we've seen now, only to realize that what should be secretly stored (responsibly), though its a wrong deed in the first place, can probably be rocked by some legit third party going rogue or some remote group of hackers or whatever.
Though this is only a set of frameworks revealed, worse things have happened and are happening again, and at some point of time, this has to take a new course, hopefully better. Wait, that'd again be a checkmate for us citizens.
 

tryfon

Level 2
Verified
May 13, 2017
76
These wikileaks are becoming a problem as these hackers are using some of the vulnerabilities found within them...
 
  • Like
Reactions: AtlBo

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
These wikileaks are becoming a problem as these hackers are using some of the vulnerabilities found within them...
Bigger problem are the ones who didn't report these vulnerabilities to Microsoft. But if they reported, then it'd be harder to spy on citizens so can't blame them. :D
 
  • Like
Reactions: frogboy

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Keep in mind that these tools are used for targeted surveillance against individuals or groups, not the mass surveillance done by sigint organisations.
 

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
I am curious to know if these tools actually managed to catch anyone bad? Having these things is just bad news. I think at this point WikiLeaks should be shut down. I do not judge them for what political views they have, but the "leaking" of malware programs is just going to hurt regular people like you and me...
 

tryfon

Level 2
Verified
May 13, 2017
76
Bigger problem are the ones who didn't report these vulnerabilities to Microsoft. But if they reported, then it'd be harder to spy on citizens so can't blame them. :D
Microsoft apparently patched most of them, the problem was a lot of the world isnt on the newest security update
 
  • Like
Reactions: Deletedmessiah

ElectricSheep

Level 14
Verified
Top Poster
Well-known
Aug 31, 2014
655
Microsoft apparently patched most of them, the problem was a lot of the world isnt on the newest security update
That MS17-010 patch - the original security update was released on 14th March so a lot of firms were to blame by not updating their systems & networks as they were released.

Article on medical firms planning to push patches themselves rather than thrrough the usual routes
Patches Pending for Medical Devices Hit By WannaCry
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top