Wikileaks has continued its CIA leaks today with its latest Vault 7 document dump. 27 documents describe the organization's “Grasshopper Framework”, which lets employees create custom malware payloads for Windows devices.
Operators can customize the payloads to behave differently for varying configurations, maintaining persistence through different methods. A pre-install survey determines the target's operating system version, anti-virus software and more before deployment.
Hard to Detect
A major focus is so-called PSP avoidance. CIA Grasshopper elements can escape detection by major security products like Microsoft Security Essentials, Symantec Endpoint and Kaspersky IS.
The payloads come in the form of exe, dll, sts and pic extensions, some with malicious payloads built-in, and others that can be triggered remotely.
They are designed to “be loaded into and executed solely within memory,” making it more difficult for traditional anti-virus solutions to pick up.
Once deployed, the CIA uses a number of techniques to ensure the malware stays. One such method is taken from Carberp, a malware that seems to come from Russian hackers.
Windows Update Corruption
Another technique uses Microsoft's own Windows Update service to re-install itself. CIA Grasshopper can piggyback off the WUPS stub to deliver a payload every 22-hours. It works even if the user has disabled updates on their PC and can uninstall itself without a trace.
Grasshopper also utilizes Windows Task Scheduler to run executables. It can run an executable automatically on startup, hiding the name and description of the task before stopping.
Wikileaks says the intention of the release is to “provide an insight into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise.”