- Dec 27, 2016
- 1,480
When the world was dealing with the appalling threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.
Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.
'AfterMidnight' Malware Framework
'Assassin' Malware Framework
Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).
This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA held, but "The Shadow Brokers" subsequently leaked it over a month ago.
Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.
More about the Vault 7 leaks
Since March, 8 batches of "Vault 7" series have been published, which includes the latest and last week leaks, along with the following batches:
Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.
'AfterMidnight' Malware Framework
AfterMidnight allows its operators to dynamically load and execute malicious payload on a target system.
The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes "Gremlins" – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins.
Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called "Octopus" to check for any scheduled events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory.
According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine.
'Assassin' Malware Framework
Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).
This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA held, but "The Shadow Brokers" subsequently leaked it over a month ago.
Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.
More about the Vault 7 leaks
Since March, 8 batches of "Vault 7" series have been published, which includes the latest and last week leaks, along with the following batches:
- Year Zero – dumped CIA hacking exploits for popular hardware and software.
- Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
- Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
- Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
- Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
- Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
