HomeWinBuzzer NewsCIA Grasshopper Framework: WikiLeaks Reveals "Undetectable" Malware That Uses Windows Update to...

CIA Grasshopper Framework: WikiLeaks Reveals “Undetectable” Malware That Uses Windows Update to Re-Install Itself

The CIA Grasshopper Framework lets operatives build custom malware payloads depending on the Windows version, security products, and more. It can't be detected by Microsoft Security Essentials.


Wikileaks has continued its CIA leaks today with its latest Vault 7 document dump. 27 documents describe the organization's “Grasshopper Framework”, which lets employees create custom malware payloads for Windows devices.

Operators can customize the payloads to behave differently for varying configurations, maintaining persistence through different methods. A pre-install survey determines the target's operating system version, anti-virus software and more before deployment.

Hard to Detect

A major focus is so-called PSP avoidance. CIA Grasshopper elements can escape detection by major security products like Security Essentials, Symantec Endpoint and  IS.

The payloads come in the form of exe, dll, sts and pic , some with malicious payloads built-in, and others that can be triggered remotely.

They are designed to “be loaded into and executed solely within memory,” making it more difficult for traditional anti-virus solutions to pick up.

Once deployed, the CIA uses a number of techniques to ensure the malware stays. One such method is taken from Carberp, a malware that seems to come from Russian .

Windows Update Corruption

Another technique uses Microsoft's own service to re-install itself. CIA Grasshopper can piggyback off the WUPS stub to deliver a payload every 22-hours. It works even if the user has disabled updates on their PC and can uninstall itself without a trace.

Grasshopper also utilizes Windows Task Scheduler to run executables. It can run an executable automatically on startup, hiding the name and description of the task before stopping.

Wikileaks says the intention of the release is to “provide an insight into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected computers, providing directions for those seeking to defend their systems to identify any existing compromise.”

Microsoft is yet to respond officially to the release, but may have a statement soon. The company previously said PCs on the latest Windows 10 version should be safe.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News

Table of Contents: