New Wikileaks dump SHOULD MAKE YOUR SKIN CRAWL
What is WikiLeaks' AngelFire dump? New leak reveals CIA malware used to spy on Windows OS
The Angelfire implant is made up of five different components that are designed to infect Windows' boot sector.
WikiLeaks has released the latest Vault 7 data dump, detailing a new CIA hacking tool targeting Windows operating systems (OS). According to the documents leaked by the whistleblowing organisation, the CIA hacking tool, dubbed Angelfire was developed to infect and spy on Windows systems. WikiLeaks leaked the alleged user guide of Angelfire, which details that it functioned as a CIA malware framework, targeting Windows XP and Windows 7.
According to the alleged leaked user guide, Angelfire is comprised of five different components — Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.
According to WikiLeaks' Vault 7 files, Solartime is a malware component designed solely to alter the Windows partition boot sector, which would allow the system to be infected with the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a key malware component as it can infect targeted devices with other Angelfire implants.
The Keystone implant, known previously as MagicWand, is a part of the Wolfcreek implant, according to WikiLeaks and is "responsible for starting malicious user applications". Keystone leaves little to no forensic evidence on infected systems. However, according to WikiLeaks, the implant can be detected in the Windows task manager, "if the operating system is installed on another partition or in a different path".
Bad MFS functions as a library, storing every implant and driver activated by Wolfcreek. Although some versions of BadMFS could be detected, in most cases, "all files are both encrypted and obfuscated" to help avoid detection.
The Windows Transitory File system acts as a new way to install AngelFire. The system allows CIA spies to create transitory files for specific actions, which include installing AngleFire, adding and/or removing files to and from the malware and more.
In comparison to other CIA hacking tools leaked by WikiLeaks, AngelFire does not seem to be all that sophisticated, since some of the malware's components could potentially be detected by security products.
WikiLeaks' latest Vault 7 dump comes hours after its site reportedly got hacked by the OurMine group.
http://www.ibtimes.co.uk/what-wikileaks-angelfire-dump-new-leak-reveals-cia-malware-used-spy-windows-os-1637511
================================================
ALSO SEE
https://www.theinquirer.net/inquirer/news/3016551/wikileaks-spills-the-beans-on-the-cias-angelfire-hacking-toolset
Security
Wikileaks spills the beans on the CIA's Angelfire hacking toolset
Someone's gotta
JULIAN ASSANGE'S LEAKY HOBBY SITE Wikileaks has crashed a US Central Intelligence Agency party and spilled all there is to know about a hacking toolset called Angelfire that the agency uses, but probably does not want you to know about.
The leak comes from the Wikileaks Vault 7 stuff and claims to concern a backdoor into the Windows operating system that works on Windows 7 and XP and maybe, but not definitely Windows 10.
"Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File System. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system," says Wikileaks in its tell-all story.
The group then goes on to explain what each of these components do. None of which is great, and all of it can be used to create memory leaks without leaving much of a trail. The information for the Vault 7 leaks comes from a breach on the CIA, Wikileaks obtained the treasure trove of information in 2017 and has been leaking dribs and drabs out ever since.
"Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines," it explained.
"Keystone is part of the Wolfcreek implant and responsible for starting malicious user applications. Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran.
At least there would be little evidence if it wasn't for those pesky kids at Wikileaks. ยต
==============================================
https://hothardware.com/news/wikileaks-cia-angelfire-toolset-hacking-window-xp-7-pcs
WikiLeaks Exposes CIA’s Angelfire Toolset For Hacking Window XP And Windows 7 PCs
The latest documents from Vault 7, a collection of confidential materials related to hacking tools used by the United States Central Intelligence Agency and obtained by WikiLeaks, was made public today by the whistle blowing organization. This newest leak details the CIA's Angelfire project, which is a persistent framework that can load and execute custom malware on computers running Windows XP and Windows 7.
Angelfire consists of five components, including Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS,a nd the Windows Transitory File system. Each of these parts has a distinct job. It starts with Solartime, which modifies the partition boot sector so that when Windows fires up boot time device drivers, it also loads and executes the Wolfcreek implant. Once executed, it is able to load and run other Angelfire implants
According the documentation, Keystone is part of the Wolfcreek implant and is responsible for starting up malicious user applications. What makes all this hard to detect is that loaded implants never touch the file system. It also disguises itself as svchost.exe in the C:\Windows\system32 directory.
BadMFS is described as a covert file system that is created at the end of the active partition. Angelfire uses BadMFS to store all other components, with all files being obfuscated and encrypted.
Finally, the Windows Transitory File system is a newer component that is an alternative to BadMFS. Rather than store files on a secret file system, the component uses temporary files for the storage system. These files are added to the UserInstallAppl (both the .exe or .dll versions).
Summed up, Angelfire is yet another tool the CIA used for hacking Windows PCs. Compared to other tools, such as Grasshopper and AfterMidnight, Angelfire seems a bit rudimentary with plenty of cons. For example, some versions of BadMFS can be detected because the reference to the covert file system is stored ina file named "zf." Additionally, loading implants can cause memory leaks that might be detected on infected machines.
It is not known if the CIA has fully retired Angelfire or if it is now using a newer, more sophisticated version.
http://www.ibtimes.co.uk/what-wikileaks-angelfire-dump-new-leak-reveals-cia-malware-used-spy-windows-os-1637511
No comments:
Post a Comment