i CouchPotato – CIA hacking tool to collection against RTSP/H.264 video streams – All things in moderation

CouchPotato – CIA hacking tool to collection against RTSP/H.264 video streams

10 August, 2017 wikileaks publishes user guide documents from the CIA Dumbo project. CouchPotato is a remote tool for collection against RTSP/H.264 video streams.

Real Time Streaming Protocol, or RTSP, is a network control protocol designed for use in entertainment and communication systems for controlling streaming media servers.

CouchPotato gives CIA hackers ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame.

The tool utilises FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity.

The CouchPotato tool works stealthily without leaving any evidence on the targeted systems because it has been designed to support ICE v3 “Fire and Collect” loader.

In-memory Code Execution (ICE) modules are relocatable portable executable files (normally DLL files) that expose a function exported by ordinal. These modules are designed to be used by an ICEaware loader that loads the module file and creates a thread that calls the exported function without the module code being written to disk.

However, user guide document don’t show details how the agency penetrates into the targeted systems at the first place, but since the publication has previously leaked many CIA malware, exploits and hacking to get into the network, CouchPotato maybe can be used in combining with other tools.

Previous CIA documents Leaked:

Dumbo – A tool that capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment.

Imperial – The CIA project Developed three hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

Raytheon – Raytheon Blackbird, the technologies for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Highrise – an SMS messaging Android application designed for mobile devices running Android 4.0 to 4.3, that provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

BothanSpy – Two CIA project (BothanSpy and Gyrfalcon) that allowed the attacker to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

OutlawCountry – The project that targets computers running the Linux operating system allow hackers redirect all outbound network traffic on the targeted machine to CIA controlled computer systems for exfiltrate and infiltrate data.

Elsa – The CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.

Brutal Kangaroo – A tool suite for Microsoft Windows that targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.

Cherry Blossom – A framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.

Pandemic – a CIA’s project that allowed the attacker to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-Middle attack tool created by the CIA to target computers inside a Local Area Network (LAN). Scribbles – Software reportedly designed to embed ‘web beacons’ into confidential files and documents, allowing the attacker to track whistleblowers and insiders.

Grasshopper – A framework which allowed the attacker to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.

Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying attacker to hide the actual source of its malware.

Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.

Year Zero – The first full part of the series includes several CIA hacking exploits for popular hardware and software (8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina).

References

Vault 7: Projects https://wikileaks.org/vault7/
CouchPotato user guide document: https://wikileaks.org/vault7/document/Couch_Potato-1_0-User_Guide/

Leave a Reply