WikiLeaks has released five documents that private defense contractor Raytheon Blackbird Technologies provided to the CIA towards building the UMBRAGE Component Library (UCL). According to WikiLeaks, Raytheon acted as a technology scout for the CIA, exploring the malware in the wild, and recommending promising malware to CIA development teams for use in their own tools.
The documents, a part of the Vault 7 series of releases contains five reports. The first is a keylogger by the Emissary Panda, a threat actor believed to be based in China. The actual tool was not that sophisticated, it managed to persist on the system but used plain text to communicate with the command and control servers. The second is also a remote access tool by Samurai Panda, another group believed to be operating from China. The tool was a variant of an Adobe Flash exploit used by the Italian group, Hacking Team.
The next document outlines the capabilities of a fairly sophisticated malware known as Regin. Regin has a six stage architecture, and is modular, allowing for the malware to be customised for a particular target or operation. The malware is customised using the modular payloads for specific purposes, including file system access, networking capabilities, compression operations, port blocking, packet filtering and so on.
Another document describes the Gamker Trojan, used for stealing information. Apparently the Trojan uses unusual instructions in assembly language, to obfuscate the code.
The most sophisticated malware described in this set of releases is HammerToss, which is suspected to be a Russian state sponsored malware. The malware uses Twitter accounts, GitHub or compromised websites, and cloud storage to arrange the command and control operations for the malware. There is a five stage architecture for the malware. The malware contains an algorithm that generates Twitter handles on a daily basis, that requires the malware to check the Twitter handles for receiving further instructions.
The instructions are hidden in a URL Tweeted out by the handles, and the accompanying hashtag provides the information needed to decode the instructions. The malware then downloads the data, and uses the hashtag in the tweet to figure out the instructions. The malware then executes the instructions on the target machine. If data has to be retrieved, it is stored in the cloud, from where it is later retrieved by the operators of the malware.
Incorporating malware already in the wild into their own tools can mask the origin of the malware, allowing the CIA to disguise the source of the malware from forensic investigation teams. Unlike many other releases that are part of the Vault 7 disclosures, the tools revealed in the Raytheon set of leaks are not developed by the CIA itself. These tools are developed by other threat actors, that have been identified as malware of interest, parts of which could be used by the CIA.
Updated Date: Jul 26, 2017 10:09 AM