WikiLeaks has now released a new set of 27 document which includes CIA malware for Windows “Grasshopper” as a part of its “Vault 7” series of leaks, which is belonging to the U.S Central Intelligence Agency (CIA).
Named Grasshopper, these 27 manuals explains a CLI-based framework developed by CIA to build “customised malware” payloads for breaking into Microsoft’s Window operating system and bypassing antivirus protection.
According to WikiLeaks, Grasshopper performs “a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration.”
The Grasshopper guides contain more in-depth information and are user manual guides for CIA members. Read PDF manual here.
How CIA’s Grasshopper Works?
Grasshopper first perform a pre-installation survey of the target devices includes the operating system and antivirus details and then a customised payload is built depending upon the technical details.
The framework then automatically put several components together for the attack. In the end, Grasshopper delivers a Window installer which can be run on a target computer and install their custom-built malware payload by the CIA operatives.
CIA’s Grasshopper Persistence Mechanisms:
Grasshopper allows tools to be installed using a variety of evading persistence mechanisms and using various modified encryption techniques.
“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components”. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload”.
WikiLeaks claims the Grasshopper framework is specially designed to evade detection even from the best know and world’s leading anti-virus vendor including Microsft Security Essentials, Kaspersky Lab, and Symantec Endpoint.
One of the so-called persistence mechanisms “Stolen Goods“[2nd PDF], allow malware to evade detection and remain on a targeted computer system.
The component Stolen Goods mechanism is taken from a malware known as “Carperb” a suspected Russian organised crime rootkit.” confirming the recycling of malware found on the Internet by the CIA.
Stolen Goods targets the boot sequence of a Windows operating system, and loads a driver into Window that allows it to continue executing code when the boot process is finished.
WikiLeaks claims that the CIA did not merely copy and paste the suspected Russian malware but appropriated “[the] persistence method, and parts of the installer,” which were then modified to suit the CIA’s purposes.
So far, WikiLeaks has revealed “Year zero” as a part of “Vault 7” which uncovered CIA hacking exploits for exploiting various popular hardware and software, the “Dark Matter“, which focused on hacking techniques and exploits to target iPhones, iPads and Macs and the third document “Marble” revealed source code of secret forensic framework, to obfuscator the sources of malware deployed by the CIA.
The documents WikiLeaks released provides an insight how CIA is building modern espionage tools for hacking and maintaining persistence into various devices.