CIA hacking tools targeting Windows
Credit to Author: Darlene Storm| Date: Wed, 08 Mar 2017 08:22:00 -0800
By releasing information about CIA hacking tools, WikiLeaks has given a new meaning to March Madness.
The CIA’s project Fine Dining is intriguing, since it outlines DLL hijacks for Sandisk Secure, Skype, Notepad++, Sophos, Kaspersky, McAfee, Chrome, Opera, Thunderbird, LibreOffice, and some games such as 2048, which the CIA writer “got a good lol out of.” Yet I was curious about what the CIA does to targeted machines running Windows since so many people use the OS.
Nearly everything dealing with the CIA hacking arsenal and Windows is labeled as “secret.” Nicholas Weaver, a computer scientist at the University of California at Berkeley, told NPR that the Vault 7 release is not all that big of a deal, not too surprising the agency hacks. Yet if “Year Zero” was obtained by a non-government hacker compromising the CIA’s system, then that would be a big deal.
Weaver said, “Spies gonna spy, that’s dog bites man. Spy dumps data on WikiLeaks, proving that they exfiltrated it from a top secret system? That’s man bites dog.”
However it was obtained and handed to WikiLeaks for the world to peruse, here are some of the things revealed that the CIA allegedly uses to target Windows.
Persistence modules are listed under Windows>Windows Code Snippets and are labeled as “secret.” This would be used after a target has been infected. In the words of WikiLeaks, persistence is how the CIA would “keep its malware infestations going.”
The CIA’s persistence models for Windows include: TrickPlay, Constant Flow, HighClass, Ledger, QuickWork and SystemUptime.
Of course before malware can persist, it must be deployed. There are four sub-pages listed under payload deployment modules: in-memory executables, in-memory DLL execution, on-disk DLL loading and on-disk executables.
There are eight processes listed as “secret” under payload deployment for on-disk executables: Gharial, Shasta, Speckled, Chorus, Tiger, Greenhorn, Leopard and Spadefoot. The six payload deployment modules for in-memory DLL execution include: Inception, two takes on Hypodermic and three on Intradermal. Caiman is the only payload deployment module listed under on-disk DLL loading.
What might a spook do once inside a Windows box to get the data out? Marked as “secret” under Windows data transfer modules, the CIA purportedly uses:
Under function hooking in Windows, which would allow a module to be tapped into to do something specific that the CIA wanted done, the list included: DTRS which hooks functions using Microsoft Detours, EAT_NTRN which modifies entries in EAT, RPRF_NTRN which replaces all references to the target function with the hook, and IAT_NTRN which allows for “easy hooking of Windows API.” All the modules use “alternate data streams which are only available on NTFS volumes” and the sharing levels include the entire Intelligence community.
WikiLeaks said it avoided distributing “armed cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.” Privilege escalation and execution vectors on Windows are among those which were censored.
There are six sub-pages dealing with CIA “secret” privilege escalation modules, but WikiLeaks chose not to make the details available; presumably this is so every cyberthug in the world won’t take advantage of them.
CIA “secret” execution vectors code snippets for Windows include EZCheese, RiverJack, Boomslang and Lachesis – all of which are listed but not released by WikiLeaks.
There is a module to lock and unlock system volume information under Windows access control. Of the two Windows string manipulation snippets, only one is labeled as “secret.” Only one snippet of code for Windows process functions is marked as “secret” and the same is true for Windows list snippets.
Under Windows file/folder manipulation, there is one to “create directory with attributes and create parent directories,” one for path manipulation and one to capture and reset file state.
Two “secret” modules are listed under Windows user information. One “secret” module each is listed for Windows file information, registry information and drive information. Naive sequence search is listed under memory searching. There is one module under Windows shortcut files and file typing also has one.
Machine information has eight sub-pages; there are three “secret” modules listed under Windows Updates, one “secret” module under User Account Control – which elsewhere – GreyHatHacker.net got a mention under Windows exploitation articles for bypassing User Account Control.
These examples are mere drops in a bucket when it comes to Windows-related CIA files dumped by WikiLeaks so far.