As a part of the ongoing CIA Vault 7 series, WikiLeaks has published some new documents. The leaks share details regarding CIA’s partnership with Raytheon Blackbird Technologies, which helped CIA with insights into the malware development.
The documents also briefly describe 5 CIA-Raytheon malware and their attack vectors.
Since early 2017, whistleblower website WikiLeaks has been publishing secret CIA documents and the malware used by them to take control of all sort of electronic devices. In the ongoing Vault 7 series, WikiLeaks has recently published documents from CIA contractor Raytheon Blackbird Technologies.
It should be noted that Raytheon acted as a technology scout for CIA’s Remote Development Branch (RDB). The scout made recommendations to the CIA teams for further research and malware development.
So, without further delay, let’s tell you about the 5 CIA-Raytheon malware described in the leaked documents:
1. HTTPBrowser RAT
The first document gives an introduction to a new variant of the HTTPBrowser Remote Access Tool (RAT). The malware’s dropper has a zip file that contains 3 files. This RAT captures keystrokes and writes it to a file. It continuously talks to the C&C (command and control) server in clear text communications.
NfLog RAT is also known as IsSpace. This new malware variant is deployed using the leaked Hacking Team Adobe Flash exploit which uses CVE 2015-5122. For C&C communications, NfLog also uses the Google App Engine. By using UAC bypass technique, it attempts UAC bypass and privilege escalation on Windows operating system.
Reign is a sophisticated malware sample that has been in use as early as 2008, with its new iteration appearing in 2013. What makes Reign special is its modular architecture that grants flexibility to the attackers. It also features the capability to hide itself from detection. The attack via Reign is carried out in 5 stages, with the last granting functionalities like file system access, networking, event logging, port loading, rootkit functions, etc.
HammerToss is probably a Russian-sponsored malware. It leverages compromised websites, GitHub, Twitter accounts, and cloud storage for taking care of the C&C functions. Written in C#, HammerToss uses a dedicated program to create new Twitter accounts and use them to execute commands and get the data uploaded by the victim.
Gamker is an information stealing Trojan that uses the process of self-code injection to make sure that nothing is written to disk. Gamker is also able to gain some obfuscation characteristics by using Assembly language instruction in hooking routine.