Vault 7 - Hacking Tools Revealed

crazed 9.6

Transparent Wall Technician
Oct 31, 2014
14,069
108
63
Code:
https://wikileaks.org/ciav7p1/

Tuesday March 7th, 2017
WikiLeaks begins its new series of leaks.
Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.
Code:
 U.S. Central Intelligence Agency

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

Code:
https://wikileaks.org/ciav7p1/cms/page_26968090.html
Notepad++ is on the list.

The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
It doesn't mean that CIA is interested in your coding skill or in your sex message content typed in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.
It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch.
Checking the certificate of DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.
Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a f**king corrupted world, unfortunately.
Otherwise, included in this Notepad++ download there are a lot of enhancements and bug-fixes which improve your Notepad++ experience.
Code:
https://notepad-plus-plus.org/download/v7.3.3.html




C/P from thehackernews.com
WikiLeaks Reveals 'AfterMidnight' & 'Assassin' CIA Windows Malware Frameworks
Sunday, May 14, 2017 Swati Khandelwal

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.

Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.

Since March, WikiLeaks has published hundreds of thousands of documents and secret hacking tools that the group claims came from the US Central Intelligence Agency (CIA).

This latest batch is the 8th release in the whistleblowing organization's 'Vault 7' series.

'AfterMidnight' Malware Framework
According to a statement from WikiLeaks, 'AfterMidnight' allows its operators to dynamically load and execute malicious payload on a target system.
The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes "Gremlins" – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins.
Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called "Octopus" to check for any scheduled events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory.
aftermidnight-malware
According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine.
A special payload, called "AlphaGremlin," contains a custom script language which even allows operators to schedule custom tasks to be executed on the targeted system.

'Assassin' Malware Framework
Assassin is also similar to AfterMidnight and described as "an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system."
Once installed on the target computer, this tool runs the implant within a Windows service process, allowing the operators to perform malicious tasks on an infected machine, just like AfterMidnight.

Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.
The 'Implant' provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution. It is configured using the 'Builder' and deployed to a target computer via some undefined vector.

The 'Builder' configures Implant and 'Deployment Executables' before deployment and "provides a custom command line interface for setting the Implant configuration before generating the Implant," reads the tool's user guide.

The 'Command and Control' subsystem acts as an interface between the operator and the Listening Post (LP), while the LP allows the Assassin Implant to communicate with the command and control subsystem through a web server.

Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).
This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA discovered and held, but "The Shadow Brokers" subsequently leaked it over a month ago.

Microsoft Slams NSA For Its Role in 'WannaCry' Attack
Even Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.
"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.

Since March, the whistleblowing group has published 8 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Year Zero – dumped CIA hacking exploits for popular hardware and software.
Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.

Swati - Hacking News
Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst.
She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.
 
Thursday, June 01, 2017
Mohit Kumar

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Codenamed Pandemic, the tool is a persistent implant for Microsoft Windows machines that share files with remote users on a local network.

The documents leaked by the whistleblower organization date from April 2014 to January 2015.

According to WikiLeaks, Pandemic infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.

"Pandemic is a tool which is run as kernel shellcode to install a file system filter driver," a leaked CIA manual reads. "The filter will 'replace' a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write)."


'Pandemic' Turns File Servers into 'Patient Zero'

Once compromised, the infected Windows file server acts as a "Patient Zero" – the first identified carrier of any communicable disease during an outbreak – which is then used to deliver infections on machines inside the network.

Now, whenever any targeted computer attempts to access a file on the compromised server, Pandemic intercepts the SMB request and secretly delivers a malicious version of the requested file, which is then executed by the targeted computer.

According to the user manual, Pandemic takes only 15 seconds to be installed on a target machine and can replace up to 20 legitimate files (both 32-bit and 64-bit files) at a time with a maximum file size of 800MB.

Since the tool has been specifically designed to infect corporate file sharing servers and turns them into a secret carrier for delivering malware to other persons on the target network, it has been named Pandemic.

However, the leaked documents do not explain precisely how Pandemic gets installed on a targeted file server.

Former National Security Agency (NSA) employee Jake Williams also questioned whether the leaked documents by the whistleblower group required to take advantage of the Pandemic tool had been released.

"When you examine the #pandemic @wikileaks dump, ask yourself: Where are the rest of the docs? Compared this dump to any of the others you'll see that there is far less data than we got with GRASSHOPPER, etc. Do they not have the other files? Seems unlikely," Williams said.

Last week, WikiLeaks dumped a CIA's spyware framework, dubbed Athena – which "provides remote beacon and loader capabilities on target computers" – that works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

The spyware has been designed to take full control over the infected Windows PCs remotely, allowing the CIA to perform all sorts of things on the target system, including deleting data or uploading malicious software and stealing data.

Since March, the whistleblowing group has published 10 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

-AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
-Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
-Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
-Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
-Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
-Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
-Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
-Year Zero – dumped CIA hacking exploits for popular hardware and software.


Mohit Kumar
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.
thehackernews.com

end C/P