![](\"http:\/\/zapt1.staticworld.net\/images\/article\/2017\/03\/cia-100712378-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Darlene Storm| Date: Mon, 15 May 2017 11:25:00 -0700<\/strong><\/p>\n The latest WikiLeaks release<\/a> of CIA malware documentation was overshadowed by the WannaCry ransomware attack sweeping across the world on Friday.<\/p>\n WikiLeaks maintains that \u201cAssassin\u201d and \u201cAfterMidnight\u201d are two CIA \u201cremote control and subversion malware systems\u201d which target Windows. Both were created to spy on targets, send collected data back to the CIA and perform tasks specified by the CIA. Both are persistent and can be scheduled to autonomously uninstall on a specific date and time.<\/p>\n The leaked documents pertaining to the CIA malware frameworks included 2014 user\u2019s guides for AfterMidnight, AlphaGremlin \u2013 an addon to AfterMidnight \u2013 and Assassin. When reading those, you learn about Gremlins, Octopus, The Gibson and other CIA-created systems and payloads.<\/p>\n AfterMidnight<\/strong><\/p>\n WikiLeaks described<\/a> AfterMidnight as allowing \u201coperators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of \u2018Gremlins\u2019 via a HTTPS based Listening Post (LP) system called \u2018Octopus\u2019.\u201d<\/p>\n When describing AfterMidnight\u2019s footprint, the CIA\u2019s guide says that after the first reboot, the non-networking component runs as a DLL inside a process running as System. \u201cThe service is only loaded long enough to load Midnight Core before it stops. In this way there is nothing, no running service entry or loaded DLL, to show that AM is actually running.\u201d<\/p>\n The \u201cGremlins\u201d \u2013 small hidden payloads for the AfterMidnight implant \u2013 can be securely deleted by overwriting files in memory with zeros as in the spooks came, conquered and poofed without the target ever knowing he or she was a target.<\/p>\n The 68-page<\/a> user\u2019s guide for AfterMidnight explains how it works and should be deployed, its capabilities and even hints at what the author considers to be funny. At one point the following example was given:<\/p>\n This example will simulate an operation with two target computers. The goal will be to prevent one target from using their web browser (so that he can get more work done) and we\u2019ll annoy the other target whenever they use PowerPoint (because, face it, they deserve it for using PP).<\/p>\n Under the heading of Advanced, 7.1.1 am.state, AfterMidnight users were warned with a note: \u201cYou can destroy everything in the universe by following these directions. User discretion is advised.\u201d<\/p>\n That is followed up in the next section by kick back and relax as \u201cAfterMidnight will take care of the rest.\u201d<\/p>\n How old is AfterMidnight user\u2019s guide?<\/strong><\/p>\n The change log has three entries: May 2013, April 2014 and August 2014. DLLs will be in any versions of Windows, but for a timeline comparison, 2013 as when Microsoft released Windows 8.1 and RT 8.1. Windows 10 wasn\u2019t released until July 2015.<\/p>\n AlphaGremlin<\/strong><\/p>\n The special payload AlphaGremlin, which has 7 pages of documentation dated June 2014, is to be used in addition to the AfterMidnight tool suite for running extra customized tasks on the target\u2019s Windows PC. Accompanying screenshots included in the AlphaGremlin<\/a> v0.1.0 user\u2019s guide appear to show Windows 7.<\/p>\n Assassin<\/strong><\/p>\n In the 204-page<\/a> Assassin v1.4 user\u2019s\u00a0guide, the CIA described Assassin as \u201can automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. Assassin will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment.\u201d<\/p>\n Like AfterMidnight, the Assassin malware framework allows the CIA to spy on and collect information from a target as well execute tasks. It can capture and return the user\u2019s data and be securely wiped.<\/p>\n The Assassin\u00a0implant, which can be configured to hibernate on a target\u2019s system before going active, has four subsystems: Implant, Builder, Command and Control (C2) and Listening Post (LP). The Listening Post subsystem, which contains a beacon server, queue and log collector, enables the Assassin implant to communicate with the C2 via a web server. The CIA added, \u201cThe Assassin C2 and LP subsystems are referred to collectively as The Gibson.\u201d<\/p>\n The \u201cGrasshopper\u201d user guide for installing payloads was not included in this leak, but referenced in the guide for Assassin as an installation utility to provide \u201csoft persistence on Microsoft Windows targets.\u201d \u00a0<\/p>\n Sadly I didn\u2019t fully grasp this portion, but when describing the Implant Pernicious ICE DLL, the CIA noted that the implant \u201cmeets the NSA Pernicious Ice specification<\/em>.\u201d The guide goes on to talk about FAF (Fire and Forget).<\/p>\n Under troubleshooting issues as well as upload queue, the CIA noted, \u201cThe Assassin implant will not store more than 16,384 files<\/em> in the staging directory to prevent overflowing the limitations of the file system.\u201d It also covered what to if a CIA operator wanted to run multiple Assassin implants on a target at the same time.<\/p>\n How old is the Assassin implant user\u2019s<\/strong>\u00a0guide?<\/strong>\u00a0<\/p>\n The first entry on the changelog was in January 2012 and the last, updated for the Assassin 1.4 release, was dated June 2014.<\/p>\n The 21-page<\/a> Assassin Training documentation, which ironically appears to be a PowerPoint presentation, has one section titled \u201cAssassin Tasking for Fun and Profit.\u201d<\/p>\n Microsoft blasted NSA and CIA for stockpiling vulnerabilities<\/strong><\/p>\n While Microsoft\u2019s President and Chief Legal Officer, Brad Smith, was talking about the WannaCry ransomware attack and not referring to the latest documentation of CIA malware implants, he blasted<\/a> the CIA as well as the NSA in a blistering critique of why the government should not stockpile vulnerabilities and digital weapons. \u00a0<\/p>\n The WannaCry attack, Smith wrote, \u201cprovides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.\u201d He added, \u201cWe have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.\u201d<\/p>\n Edward Snowden, who incidentally urged the US government to drop its investigation<\/a> into Julian Assange and WikiLeaks, claimed that Microsoft confirming a NSA-developed exploit was used in the WannaCry attack was \u201cextraordinary<\/a>.\u201d<\/p>\n Until this weekend’s attack, Microsoft declined to officially confirm this, as US Gov refused to confirm or deny this was their exploit. https:\/\/t.co\/i52jeJyD0l<\/a><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Darlene Storm| Date: Mon, 15 May 2017 11:25:00 -0700<\/strong><\/p>\n<\/p>\n