Wikileaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project.
Today another batch of classified documents from the CIA Vault 7 leak was published by Wikileaks. The documents are related to a CIA project codenamed ‘Imperial,’ they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions.
The three hacking tools are:
- Achilles — A tool to trojanize a legitimate OS X disk image (.dmg) installer.
- SeaPea — A Stealthy Rootkit For Mac OS X Systems
- Aeris — An Automated Implant For Linux Systems
Achilles is a hacking tool that allows CIA operators to package malicious codes with a legitimate Mac OS app into a disk image installer (.DMG) file. According to the documents, Achilles v1.0 was developed in 2011, the CIA experts only tested it on Mac OS X 10.6 (Apple Snow Leopard OS launched in 2009).
The tool is a shell script written in Bash that gives the operators “one or more desired operator specified executables” for a one-time execution.
In a classic attack scenario, the target individuals download an infected disk image on their computer, once they will open and install the software, the malware would run in the background.
Once the malware is executed, it will erase any trace of the Achilles from the downloaded application so that the file would “exactly resemble” the original legitimate software. This behavior makes hard the investigation of the malware from security experts and antivirus software.
The SeaPea hacking tool is a Mac OS X Rootkit that gives CIA operators stealth and tool launching capabilities by hiding important files, processes and socket connections from the users.
It was developed in 2011, according to the documents SeaPea works on computers running then-latest Mac OS X 10.6 (Snow Leopard) Operating System (32- or 64-bit Kernel Compatible) and Mac OS X 10.7 (Lion) Operating System.
CIA operators need a root access to infect the target Mac computer, the hacking tools can be removed reformatting the startup disk or upgrading the OS to the next version.
The Aeris hacking tool is an automated implant written in C programming language that could be used to backdoor portable Linux-based Operating Systems, including Debian, CentOS, Red Hat, FreeBSD and Solaris.
Below the list of features implemented by Aeris:
- Configurable beacon interval and jitterStandalone and Collide-based HTTPS LP support
- Standalone and Collide-based HTTPS LP supportSMTP protocol support
- SMTP protocol supportTLS Encrypted communications with mutual authentication
- TLS Encrypted communications with mutual authentication
- Compatibility with the NOD Cryptographic Specification
- Structured command and control that is similar to that used by several Windows
- Automated file exfiltration
- Simple and flexible deployment and installation
Aeris is a builder that CIA operators can use to generate custom implants, it does not have a separate installer and in order to be deployed operators just need to place an Aeris binary in the desired directory.
“Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the desired directory. Rename the binary in any way that you wish. Note that the configuration is patched in at build time; hence, no additional files (beyond possibly those related to persistence — see the next section) are needed.” states the user guide.
Below the list of release published by Wikileaks since March:
- Imperial – 27 July, 2017
- UCL/RAYTHEON – 19 July, 2017
- HighRise – 13 July, 2017
- BothanSpy and Gyrfalcon – 06 July, 2017
- OutlawCountry – 30 June, 2017
- ELSA malware – 28 June, 2017
- Cherry Blossom – 15 June, 2017
- Pandemic – 1 June, 2017
- Athena – 19 May, 2017
- AfterMidnight – 12 May, 2017
- Archimedes – 5 May, 2017
- Scribbles – 28 April, 2017
- Weeping Angel – 21 April, 2017
- Hive – 14 April, 2017
- Grasshopper – 7 April, 2017
- Marble Framework – 31 March, 2017
- Dark Matter – 23 March, 2017
(Security Affairs – Wikileaks, Imperial)