Thursday, October 10, 2024
HomeMalwareNew CIA Cyberweapon Malware "Pandemic" installed in Victims Machine and Replaced Target...

New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download

Published on

One of the  CIA Cyberweapon  Called  “Pandemic” Document Leaked by Vault 7 Projects of WikiLeaks.This Malware tool Specifically interact and run as kernel shellcode to install File system Driver.

This Malware will the attack the Victim Machine if user accesses the file via SMB, the Payload files will be Replaced to the  Actual Target file .This Function will work in Read-only Mode.

Already Released CIA cyberweapon’s DoublePulsar and MicroBotMassiveNet having some Sophisticated Futures and also affected by same SMB.

- Advertisement - EHA

“Pandemic” Malware’s Actual  Goal is to be installed in Victims Machine when the Victims remote users use SMB to download/execute PE files.

According the Leaked CIA’s “Pandemic” Secret Document,  It won’t make sense and it will not replace the Target file if the file is opened on the machine Where Pandemic is running on.

Pandemic Leads to Unchanged the File But Replaced

While “Pandemic” entered into the Victims Machine when user accesses the file via SMB,it will not do any physical Changes in the Target Files.

According to leaked Source of Vault 7 ,Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file.

“Pandemic” can operate both 32 and 64 bit .CONOP(Concept of Operation) done by the CIA ,version 1.0 can works only on 64 bit targets.

A “Pandemic” Tool ability to Replace up to  20 files by using the Latest version of  Pandemic 1.0.

As per the Document “The 1.1 builder will dynamically re-size the output bin file to the  appropriate size needed to contain all the payload data, so there is no longer an absolute cap on total output bin size. There is, however, a hard-coded cap on the maximum size a single replacement file can be (800MB). Pandemic 1.1 also made some changes to improve the robustness of the swapping mechanism”

File Information of “Pandemic”

First version (1.0) of the “Pandemic” Developed on17 April, 2014 by Engineering Development Group of CIA and the versions has been updated on16 January 2015 with some extra capability including Replaced files up to 20 in victims machines.

Files Executable and DLL looks like Pandemic_Builder.exe, Control.dll

According to the  Leaked Sources File Registry access by “Pandemic” Performs like below

“S//NF) Pandemic registers a minifilter driver using Windows’ Flt* functions. As a result, FltMgr requires that all drivers registering as minifilters contain certain registry keys. Pandemic uses the ‘Null’ service key (on all Windows systems) as its own driver service key. Pandemic will create 2 sub keys and 3 values under the ‘Null’ service key in the registry. These values and sub keys are deleted when Pandemic is uninstalled at the end of its configured run timer, or when it is uninstalled via a special F&F (v2) DLL.These keys will NOT//NOT be deleted if the system is rebooted before the aforementioned scenarios occur”

you can Access full Leaked Document of CIA cyber weapon of Pandemic in WikiLeaks.

Also Read:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...