The Hacker News - Cybersecurity News and Analysis: CIA Malware

A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access. As part of its Vault 7 leaks , WikiLeaks today revealed details about a new implant developed by the CIA, dubbed AngelFire , to target computers running Windows operating system. AngelFire framework implants a persistent backdoor on the target Windows computers by modifying their partition boot sector. AngelFire framework consists five following components: 1. Solartime — it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up. 2. Wolfcreek — a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications 3. Keystone — a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system. 4. BadMFS — a covert file

WikiLeaks has just published a new batch of the ongoing Vault 7 leak , this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems. Dubbed OutlawCountry , the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data. The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user. "The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed," CIA's leaked  user manual reads. Although the installation and persi

WikiLeaks has just published a new batch of the ongoing Vault 7 leak , and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system. In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots' locations. Dubbed ELSA , the alleged CIA's project consists of two main elements: the processing component (Operator Terminal) and the implant (Windows Target) which is typically being deployed on a target Windows host. Here's How the CIA's ELSA Malware Works The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device. The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Se

WikiLeaks has published a new batch of the ongoing Vault 7 leak , this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures. Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years. Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access. The previous version of Brutal Kangaroo was named as EZCheese , which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using " unknown link file vulnerability (Lachesis/RiverJack) related to the lib

As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA). Named Grasshopper , the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection. All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims. Grasshopper: Customized Malware Builder Framework According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using. The Grasshopper framework then automatically puts together several components sufficient for attack