27 July, 2017 Wikileaks has published new documents from the Imperial project of the CIA. The project is made up of three tools: Achilles and SeaPea which target MacOS, and Aeris which targets various flavors of Linux, including RedHat, Debian, CentOS and more.
Achilles — Tool to Backdoor MacOS X Disk Images
Achilles is a capability that provides an operator the ability to trojan an MacOS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. It run on MacOS X 10.6.
Achilles is written in Bash, gives the CIA operators “one or more desired operator specified executables” for a one-time execution.
When a user downloads an infected disk image on Apple computer, opens and installs the software, the malicious executables would also run in the background. Afterward, all the traces of the Achilles tool would be “removed securely” from the downloaded application so that the file would “exactly resemble” the original legitimate app, un-trojaned application, making it hard for the investigators and antivirus software to detect the initial infection vector.
SeaPea — Stealthy Rootkit For MacOS X Systems
SeaPea is an MacOS X Rootkit that “provides stealth and tool launching capabilities”. It runs on MacOS X 10.6 and 10.7, allowing CIA agents to infiltrate and control targets computers without their knowledge.
The rootkit requires root access to be installed on a target Mac computer and cannot be removed unless the startup disk is reformatted or the infected Mac is upgraded to the next version of the operating system.
Aeris — An Automated Implant For Linux Systems
Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS).
It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support — all with TLS encrypted communications with mutual authentication.
It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.
Previous CIA tools and documents Leaked:
Raytheon – Raytheon Blackbird, the technologies for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.
Highrise – an SMS messaging Android application designed for mobile devices running Android 4.0 to 4.3, that provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.
BothanSpy – Two CIA project (BothanSpy and Gyrfalcon) that allowed the attacker to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.
OutlawCountry – The project that targets computers running the Linux operating system allow hackers redirect all outbound network traffic on the targeted machine to CIA controlled computer systems for exfiltrate and infiltrate data.
Elsa – The CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft Windows that targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.
Cherry Blossom – A framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.
Pandemic – a CIA’s project that allowed the attacker to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-Middle attack tool created by the CIA to target computers inside a Local Area Network (LAN). Scribbles – Software reportedly designed to embed ‘web beacons’ into confidential files and documents, allowing the attacker to track whistleblowers and insiders.
Grasshopper – A framework which allowed the attacker to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying attacker to hide the actual source of its malware.
Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
Year Zero – The first full part of the series includes several CIA hacking exploits for popular hardware and software (8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina).