WikiLeaks on Friday published 27 documents detailing a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to create custom installers for malware designed to target Windows systems.
The framework, dubbed “Grasshopper,” has been described as a tool that allows operators to build a custom installation executable, run that executable, and evaluate the results of the execution. The Grasshopper user guide specifies that the dropper should be loaded and executed only in memory.
Leaked documents show that Grasshopper provides various persistence mechanisms and allows users to define a series of conditions that need to be met before an installation is launched. These rules can help determine if the targeted device is running the correct version of Windows and if certain security products are present.
One of the persistence mechanisms highlighted by WikiLeaks involves the Windows Update Service, which can be abused to ensure that the payload is executed on every system boot or every 22 hours, when the service loads a series of DLLs specified in the registry.
WikiLeaks also highlighted Stolen Goods, a Grasshopper persistence module that borrows code from the notorious Carberp banking Trojan, whose source code was leaked a few years ago. The authors of Stolen Goods, however, pointed out that only some parts of the Carberp code were taken and those were heavily modified.
“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.
This is the third round of files made public by WikiLeaks as part of the dump called Vault 7. The organization claims to possess numerous exploits allegedly used by the CIA and it has offered to share them with affected tech companies, but it appears that many firms are not willing to comply with WikiLeaks’ demands to obtain the information.
An analysis of the information made public to date has shown that many of the vulnerabilities have already been patched by security firms and tech giants such as Apple and Google. Cisco did admit finding a critical vulnerability affecting many of its switches following an analysis of the Vault 7 files.