WikiLeaks Revealed CIA Surveillance Projects Documents “UMBRAGE Component Library(UCL)” from CIA contractor Raytheon Blackbird Technologies which contains five secret Malware Development Related PoC(Proof-of-Concepts) with CIA.
This CIA Project Related to Malware research and Developing new Malware that mostly contains Proof-of-Concept ideas and assessments for malware attack vectors.
Defense contractor company Raytheon helps for CIA Surveillance Project in Remote Development Branch (RDB) and analyze the world wide malware attacks.
Raytheon acquired Blackbird Technologies which offers persistent surveillance, secure tactical communications and cyber security solutions to the intelligence community to build a Cyber Powerhouse.
Raytheon giving a recommendation to CIA development teams for further advance Presistant Malware investigation and PoC development for their own malware projects.
According to Revealed Document 5 project that was Developed under the CIA contractor Raytheon Blackbird Technologies.
HTTPBrowser Remote Access Tool
A CIA RAT Project called HTTPBrowser Remote Access Tool Variant was built in March of 2015 Which is used by EMISSARY PANDA Hackers.
This RAT Deployed by unknown initial attack vector and mainly Targeting Windows Operating systems.
“According to Leaked Document ,The dropper consists of a self-extracting zip file containing three files. One of the files is a legitimate executable associated with a Citrix Single Sign-On product which will side-load the attackers initial DLL. This will XOR decode and load API’s and the HTTPBrowser RAT”
Once the RAT successfully copied into installation location, it will set an Auto Start Execution Point (ASEP) and communicate with C&C sever for further communication.
This can able to capture the keystroke from the deployed windows based machines.
Regin – Stealthy Surveillance
This Project Described the highly sophisticated malware called Regin. Ragin activities were observer since 2013.
Regin Malware Mainly Focused on target surveillance and data collection and it has high degree of flexibility and tailoring of attack capabilities to specific targets.
Its stealthiness Capability leads to hiding itself from discovery and portions of the attack are memory.
According to Leaked Document ,The report mentions that Stage 4 modules inject code into services.exe but no details are given regarding the methods or APIs used for code injection.
Regin Malware infects both Windows and Linux Operating systems.
This Document Revealed about the information stealing Trojan known as Gamker. it use code injection and API hooking method.
Gamker uses an interesting process for self-code injection that ensures nothing is written to disk.
This malware was suggested to CIA to Develop a PoC forself-code injection technique and this self-code injection technique should help avoid detection by PSPs.
Windows OS Identification of Affected Applications this Gamker Malware.
HammerToss – Stealthy Tactics
A Russian State-sponsored malware called HammerToss was Discussed in this Document which discovered in early 2015
“HammerToss is an interesting piece of malware because of its architecture, which leverages Twitter accounts, GitHub or compromised websites, basic steganography, and Cloud-storage to orchestrate command and control (C2) functions of the attack”
According to Document ,HammerToss is an interesting malware sample, the interesting aspect is its architecture and its use of Twitter, compromised websites, and cloud-storage, there is nothing we can make a PoC recommendation on.
NfLog is a Remote Access Tool (RAT) which was used by SAMURAI PANDA and this malware deployed by Adobe Flash Exploit.
This new variant also incorporates the use of the Google App Engine (GAE) hosting
to proxy communications to its C2 Server.
According to Document, NfLog will use the well-known UAC bypass technique of DLL side-loading of CryptBase.dll on Windows Vista and newer operating systems to attempt UAC bypass and privilege escalation.