WikiLeaks published new documents from what it calls the Vault 7 trove describing how the CIA targets Windows users. The files pertain mostly to Grasshopper, a framework used to build custom installation executables, and the agency's use of the Carberp malware in its Stolen Goods persistence mechanism. This leak puts the spotlight on another of the CIA's internal tools and on how it repurposes public malware to suit its own purposes.
Grasshopper's user guide explains that it was used to build and execute custom malware. Operators could use various installers, target devices based on what version of Windows they use or what antivirus software is installed, and decide if the malware should create a log file when it's run. This would theoretically improve the agency's chances of compromising their target while reducing the odds of getting caught or affecting other people.
It's kind of like the spying equivalent to Build-A-Bear Workshop. The CIA gathered installers, payloads, and persistence mechanisms so operators could put them together as if they were children making a custom stuffed animal instead of spies designing malware for specific targets. Operators could also customize Grasshopper itself if they wanted to use a particular tool or needed more control over the malware they were trying to build.
One of those persistence mechanisms--tools used to help malware evade detection by security tools and remain on a target machine--was called Silent Goods. Here's what the Silent Goods user manual has to say about its origins:
The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime. The source of Carberp was published online, and has allowed AED\RDB to easily 'borrow' components as needed from the malware. Most of Carberp was not used in Stolen Goods 2, specifically all the Bot net/Communications components. The persistence method, and parts of the installer, were taken and modified to fit our needs. All components taken from Carberp were carefully analyzed for hidden functionality, backdoors, vulnerabilities, etc. A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.
This kind of source code theft is common among malware creators. Few build everything from scratch--most take someone else's work and customize or improve it to suit their own purposes. Many others simply use off-the-shelf malware instead of even attempting to code something themselves. Stolen Goods shows that the CIA is no different. If something works, it works, and the intelligence agency has no qualms about repurposing it.
You can find out more about Grasshopper and Stolen Goods in WikiLeaks' latest release from the Vault 7 trove. The organization previously revealed how the CIA tries to work around end-to-end encrypted communications tools, bypasses Windows antivirus software, and considers the possibility of assassination via remote car hack.
Don't worry, all the car makers with whom we spoke assured us that you probably won't be killed by hackers, and antivirus companies have patched up vulnerabilities revealed in the Vault 7 documents. Companies like Cisco have also been digging through WikiLeaks' materials to find critical security flaws that the organization didn't highlight in its own blog posts.
The documents published today appear to have been written between 2012 and 2014. Not all of them were dated--the Grasshopper user guide has no date, for example, although the admin guide says it was published in December 2013. Microsoft and other security companies may have already addressed the vulnerabilities exploited by the framework and its components.
We reached out to Microsoft for comment on these latest files, and a Microsoft spokesperson stated:
Our investigation confirmed that the information released on April 7 does not impact modern systems. For the best defense against security threats, we recommend Windows 10, which is updated automatically by default.
