Vault 7 Leaks : CIA Malware “ELSA” Tracking Geo-Location of WiFi Enabled Windows Computers – WikiLeaks

WikiLeaks Revealed an another Document of  CIA Malware Called “ELSA” have an ability to Tracking Geo-Location information of WiFi enabled nearby Target Windows Computers based on the ESS (Extended Service Set) Data and Transfer the latitude, longitude information into 3rd Party Database.

ELSA Malware Collecting the targeted WiFi Enabled  Computers Information as Metadata Format and then it transmitting the Metadata to 3rd Party databases for resolution into latitude, longitude and saves its data in  128 bit AES encrypted file.

Few Week’s Before WikiLeaks Revealed a CIA Cyber Weapon  “Brutal Kangaroo” to  targets closed networks by air gap jumping using thumbdrives.

To Collecting the data and location information of target machine ,This  “ELSA”  Malware doesn’t have Victim to be  online. ELSA only need the target to be running with an enabled WiFi device.

Once Infected Windows Machine Connected to the internet then ELSA Malware Automatically Collecting the targets information longitude and latitude data along with the timestamp by using public geo-location databases from Google or Microsoft.

According to the CIA Revealed Secret Document,” The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, the maximum size of the log file and invocation/persistence method.”

How Does ELSA Collecting Geo-Location Information

ELSA Malware Contain 2 Major Components to perform the Operation of Tracking the Victims.

• Operator Terminal – First implant is an Operator(Attacker) Icon Attack Box.
• Windows Target- – Second implant of ELSA variant deployed on a target Windows host

ELSA Successfully initiate the Attack, targeting  Windows Machine Must be WiFi enabled and deployed in an environment with WiFi access points in range.

Once ELSA persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS(Extended Service Set Identifier) identifier, MAC address and signal strength at regular intervals.

According to Document, The ELSA software system is delivered in two sets of zip files with embedded hash files containing the project name, version, and algorithm used to calculate the hash:

• elsa-v1.0.0-docs.zip
• sha1-windows.txt
• elsa-v1.0.0-windows.zip
• sha1-windows-images.txt

Based on the Schedule Done by the Attacker, implant begins collecting WiFi access point information.

ElSA Using PATCHER tool to configure ELSA  for deployment and Target Machine and it specify,

• The target machine’s architecture (x86 vs. x64)
• The desired mode (dllhost, svchost, rundll32 )
• The desired geo provider (microsoft / google)
• SECRET//NOFORN
• The desired maximum log file size
• Whether or not to resolve ap lists into geo’s from the target

After Successfully Deployed the Malware into the target machine , CIA operator Fetching the log information of the Targets GEO Location as Log file by using  tools that helps to Operator placed ELSA on his system.

Finally Operator Decrypt the logfile that contains the information about the Victims Geo locations and CIA using EES Geo-location databases to identify the better locations information.

Previous CIA Leaked Tools by WikiLeaks

Brutal Kangaroo – CIA Hacking Tool “Brutal Kangaroo” Revealed to Hack Air-Gapped Networks by using USB Thumb Drives -WikiLeaks

CherryBlossom –  Wikileaks Revealed New CIA Wireless Hacking Tool “Cherry Blossom” Compromise Your Wireless Network Devices using MITM Attack

Pandemic –  New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download