i CIA – Raytheon Blackbird Technologies – All things in moderation

CIA – Raytheon Blackbird Technologies

19 July, 2017 wikileak s publishes documents from the CIA Raytheon Blackbird technology .


The documents were submitted to the CIA between November 21st 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September, 11th 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
Wikileak read.

Raytheon Blackbird are the technologies for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

The following is the documents provided by Raytheon project.

HTTPBrowser Remote Access Tool

The report details a new variant of the HTTPBrowser Remote Access Tool (RAT) used by APT organization EMISSARY PANDA. This new variant was built in March of 2015 and is deployed through an unknown initial attack vector.

Document: https://wikileaks.org/vault7/document/2015-09-20150911-279-CSIT-15083-HTTPBrowser/

NfLog Remote Access Tool

The report details the new variants of the NfLog Remote Access Tool (also known as “IsSpace”) organized by SAMURAI PANDA for cyber espionage. In addition, the report not only indicates that IsSpace exploited the Adobe Flash vulnerability (CVE-2015-5122) developed by Hacking Team. This also incorporates the use of the Google App Engine (GAE) hosting to proxy communications to its C2 Server.

Document: https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/

Regin Spy Tools

This report is a high-level analysis of the first discovery of the spy tool Regin in 2013. The Regin Web Spy tool, allegedly developed by CIA, is an extremely complex sample of malware. There are indications that the malware has been in use since 2008, but most people believe that the current Regin iteration can be traced back to 2013. Regin is its modular architecture, which affords a high degree of flexibility and
tailoring of attack capabilities to specific targets. Another impressive aspect of Regin is its stealthiness, its ability to hide itself from discovery and portions of the attack are memoryresident only.

Document: https://wikileaks.org/vault7/document/2015-09-20150911-276-Symantec-Regin/

HammerToss Malware

This report details the malware HammerToss discovered early 2015. A suspected Russian State-sponsored malware sample discovered in early 2015 and suspected as being operational since late 2014. HammerToss is also an extremely interesting malware because its architecture can take advantage of Twitter accounts, GitHub accounts, attacked sites with cloud storage attacks on command and control (C2) functions of the attack.

Document: https://wikileaks.org/vault7/document/2015-09-20150911-277-FireEye-HammerToss/

Gamker Trojan

This document describes in detail the self-encoded injection and API connection methods that steal sensitive information. In August 2015, three-page report from Virus Bulletin contains more technical detail than many 30+ page reports from other sources.

Document: https://wikileaks.org/vault7/document/2015-09-20150911-278-VB-Gamker/

Previous CIA documents Leaked: http://hydrasky.com/network-security/wikileaks-cia-leak-vault-7-projects-series/

References

Vault 7: Projects https://wikileaks.org/vault7/

Leave a Reply