#Vault7: WikiLeaks release shows CIA ‘Grasshopper’ used stolen ‘Russian mafia’ malware
The latest release consists of 27 documents WikiLeaks claims come from the CIA’s ‘Grasshopper framework’, a platform for building malware for use on Microsoft Windows operating systems.
In a statement from WikiLeaks, ‘Grasshopper’ was described as providing the CIA with the ability to build a customized implant which will behave differently, depending on the security capabilities of a computer.
According to WikiLeaks, Grasshopper performs “a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration."
This allows CIA operators to detect if a target device is running a specific version of Microsoft Windows or if an antivirus is running, according to the statement.
Grasshopper allows tools to be installed and run on a machine without detection using PSP avoidance, allowing it to avoid Personal Security Products such as 'MS Security Essentials', 'Rising', 'Symantec Endpoint' or 'Kaspersky IS'.
One of the so-called persistence mechanisms, which allows malware to avoid detection and remain on a computer system indefinitely, is known as ‘Stolen Goods’.
In the WikiLeaks release, it is credited to Umbrage, a group within the CIA’s Remote Development Branch (RDB) which was linked in the ‘Year Zero’ release to collecting stolen malware and using it to hide its own hacking fingerprints.
The components of the Stolen Goods mechanism were taken from a malware known as Carperb, “a suspected Russian organized crime rootkit," alleges WikiLeaks.
Stolen Goods targets the boot sequence of a Windows machine, loading a driver onto the system that allows it to continue executing code when the boot process is finished.
WikiLeaks confirmed that the CIA did not merely copy and paste the suspected Russian malware but appropriated "[the] persistence method, and parts of the installer,” which were then modified to suit the CIA’s purposes.
The latest release came with an emblem containing a grasshopper and the words: “Look before you leap,” a possible reference to how the latest leaked tools would allow the CIA to prepare a machine for future hacking, without raising suspicion.
The rootkits can be installed and used as a 'man on the inside' who can allow more malicious software through undetected in future, if the CIA felt it necessary. If suspicions were raised on initial installation, they would know not to proceed with a more extensive operation.
Also detailed in the release are Buffalo and Bamboo, modules that hide malware inside DLL’s, a collection of shared libraries, on a Windows system.
The two modules operate in slightly different ways: Buffalo runs immediately on installation whereas Bamboo requires a reboot to function properly.
The goal of today’s release is to help users seeking to defend their systems against any existing compromised security systems, Wikileaks stated.
Also detailed in the release is ScheduledTask, a component of ‘Grasshopper’ that allows it to utilize Windows Task Scheduler to schedule executables.
The component would allow the executables to automatically run at startup or logon, before killing it at the end of its duration. Included in ScheduledTask are commands that allow the executables names and description to be hidden.
The release is the fourth in a series called ‘Vault 7’ which WikiLeaks claims contains documents taken from within the CIA. Releases so far include ‘Zero Days’ which detailed the CIA’s hacking of Samsung smart TVs and ‘Marble’, which allowed the CIA to disguise their hacks and attribute them to someone else, including Russia.