CIA Malware Development Surveillance Project

WikiLeaks Revealed CIA Surveillance Projects Documents “UMBRAGE Component Library(UCL)”  from CIA contractor Raytheon Blackbird Technologies which contains five secret Malware Development Related PoC(Proof-of-Concepts) with CIA.

This CIA Project Related to Malware research and Developing new Malware that mostly contains Proof-of-Concept ideas and assessments for malware attack vectors.

Defense contractor company Raytheon helps for CIA Surveillance Project in Remote Development Branch (RDB) and analyze the world wide malware attacks.

Raytheon acquired Blackbird Technologies which offers persistent surveillance, secure tactical communications and cyber security solutions to the intelligence community to build a Cyber Powerhouse.

Raytheon giving a recommendation to CIA development teams for further advance Presistant Malware investigation and PoC development for their own malware projects.

According to Revealed Document 5 project that was Developed under the  CIA contractor Raytheon Blackbird Technologies.

HTTPBrowser Remote Access Tool

A CIA RAT Project called HTTPBrowser Remote Access Tool Variant was built in March of 2015 Which is used by EMISSARY PANDA Hackers.

This RAT Deployed by unknown initial attack vector and mainly Targeting Windows Operating systems.

“According to Leaked Document ,The dropper consists of a self-extracting zip file containing three files. One of the files is a legitimate executable associated with a Citrix Single Sign-On product which will side-load the attackers initial DLL. This will XOR decode and load API’s and the HTTPBrowser RAT”

Once the RAT successfully copied into installation location, it will set an Auto Start Execution Point (ASEP) and communicate with C&C sever for further communication.

This can able to capture the keystroke from the deployed windows based machines.

Regin – Stealthy Surveillance

This Project Described the highly sophisticated malware called Regin. Ragin activities were observer since 2013.

Regin Malware Mainly Focused on target surveillance and data collection and it has high degree of flexibility and tailoring of attack capabilities to specific targets.

Its stealthiness Capability leads to hiding itself from discovery and portions of the attack are memory.

According to Leaked Document ,The report mentions that Stage 4 modules inject code into services.exe but no details are given regarding the methods or APIs used for code injection.

Regin Malware infects both Windows and Linux Operating systems.

Gamker

This Document Revealed about the information stealing Trojan known as Gamker. it use code injection and API hooking method.

Gamker uses an interesting process for self-code injection that ensures nothing is written to disk.

This malware was suggested to CIA to Develop a PoC forself-code injection technique and this self-code injection technique should help avoid detection by PSPs.

Windows OS Identification of Affected Applications this Gamker Malware.

HammerToss – Stealthy Tactics

A Russian State-sponsored malware called HammerToss was Discussed in this Document which discovered in early 2015

“HammerToss is an interesting piece of malware because of its architecture, which leverages Twitter accounts, GitHub or compromised websites, basic steganography, and Cloud-storage to orchestrate command and control (C2) functions of the attack”

According to Document ,HammerToss is an interesting malware sample, the interesting aspect is its architecture and its use of Twitter, compromised websites, and cloud-storage, there is nothing we can make a PoC recommendation on.

NfLog

NfLog is a  Remote Access Tool (RAT) which was used by SAMURAI PANDA  and this malware deployed by  Adobe Flash Exploit.

This new variant also incorporates the use of the Google App Engine (GAE) hosting
to proxy communications to its C2 Server.

According to Document, NfLog will use the well-known UAC bypass technique of DLL side-loading of CryptBase.dll on Windows Vista and newer operating systems to attempt UAC bypass and privilege escalation.

 

Previous CIA Leaked Tools by WikiLeaks

HighRise Vault 7 Leaks : CIA Android Hacking Tool “HighRise” Steals Data From Compromised Android Phones via SMS – WikiLeaks

Gyrfalcon –  Vault 7 Leaks: CIA Hacking Tools “BothanSpy” and “Gyrfalcon” Steals SSH Credentials From Windows and Linux Computers – WikiLeaks

OutlawCountry – Vault 7 Leaks: CIA Malware “OutlawCountry” Controls Linux Machine and Redirect the Victims Traffic into CIA Controlled Machine – WikiLeaks

ELSA – Vault 7 Leaks: CIA Malware “ELSA” Tracking Geo-Location of WiFi Enabled Windows Computers – WikiLeaks

Brutal Kangaroo – CIA Hacking Tool “Brutal Kangaroo” Revealed to Hack Air-Gapped Networks by using USB Thumb Drives -WikiLeaks

CherryBlossom –  Wikileaks Revealed New CIA Wireless Hacking Tool “Cherry Blossom” Compromise Your Wireless Network Devices using MITM Attack

Pandemic –  New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download