Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


vault 7 series "shadow" project exposure: raytheon secretly provides malicious program analysis for cia

Posted by loope at 2020-03-03

On Wednesday (July 19), Wikileaks disclosed the series of CIA vault 7 files as usual, but different from the tools directly disclosed in the past, this time mainly disclosed the CIA's "umbrage" project and the detailed malware analysis report made by the CIA contractor Raytheon blackbird technologies in the project.

Raytheon blackbird technologies was formerly Raytheon (Raytheon), a large US defense contractor. In November 2014, Raytheon acquired blackbird technologies, a network security company, and founded Raytheon blackbird technologies, which focuses on the analysis of advanced malware and TTPS (i.e., tactics, technologies, procedures, mainly referring to the strategies, technologies and processes of network attacks). According to the agreement, the company provides CIA with some malware analysis reports that have been found. The documents show that between November 2014 and September 2015, Raytheon blackbird technologies submitted at least five reports to the CIA, all of which were part of the CIA umbrage project.

According to the data of vault 7 leaked by Wikileaks, the umbrage team of CIA is specialized in carrying out false flag action (false flag action: a kind of covert action, which means to mislead the public to think that the action is carried out by other organizations by using other organizations' flags, uniforms and other means), so as to hide the attack means and fight against investigation and evidence collection. The CIA has a remote development branch (RDB), which maintains a network attack mode library, which collects and summarizes the attack methods and technologies used before, such as the codes leaked in hacking team events and the technologies used in Russia. With a large number of pattern base, when a new network attack is launched, we can take a variety of tactics such as imitation and confusion to confuse the enemy and hide ourselves.

The umbrage project is maintained by the team, which includes a variety of malware attack technologies, such as: keyboard recording, password collection, webcam capture and control, data destruction, persistent infection, rights raising, covert attack, anti-virus software, etc.

On July 19, 2017, Wikileaks released the CIA's document on the "shadow malware function module library" project, which came from the CIA contractor Raytheon blackbird technologies. The document was submitted and updated from November 21, 2014 (the third week after Raytheon blackbird technologies was founded), and stopped on September 11, 2015. These documents mainly involve POC verification, malware attack vector evaluation and so on. Some of the references come from the public analysis documents about network attacks published by some security companies or security researchers.

Raytheon blackbird technologies acts as a "technical investigator" in the CIA's remote device group, analyzes the detected malicious attacks, and provides suggestions on the further use of the CIA's own malware and POC development.

Of course, the company's experts will also provide POC ideas and malware attack vectors to their own companies. According to these experts, the CIA entrusts the contractor to collect malware information and submit it to the remote device team, mainly to assist the team in developing and improving the CIA's own network attack technology.

An introduction to Raytheon's five reports to the CIA:

Report 1

In this report, Raytheon's researchers analyzed and recorded the variety of HTTP browser rat, which was used by panda emissary to launch attacks. The new variant appeared in March 2015, and launched attacks through unknown initial attack vectors, with the main purpose of capturing and collecting keystroke records.

Report 2

This report details the new variants of nflog rat (also known as isspace) used by Samurai panda apt. This variant uses the flash 0-day exploit of hacking team, which exploits cve-2015-5122 vulnerability and UAC bypass technology to sniff or enumerate proxy credentials, thus bypassing windows firewall. At the same time, this variant also uses Google App Engine for C2 server proxy communication.

Report 3

This report is an in-depth analysis of the spy tool "region". Originally discovered in 2013, regin is mainly used for monitoring and data collection, which is said to be more complex than Stuxnet and Duqu. It is believed that region is a spy tool developed by NSA intelligence agencies themselves.

Researchers first detected activity in the region in 2013, but data show that the region was already active as early as 2008. However, most people default that the current version of region originated in 2013. Regin's module architecture is very distinctive and highly flexible, allowing operators to monitor specific individuals (customized features). In addition, region has good concealment and long time. Some attacks are only implemented by memory resident.

Report 4

The report details a "hammertoss" malware found in early 2015. It is said that "hammertoss" is a malicious program developed by hackers supported by the Russian government and has been active since the end of 2014.

What's interesting about "hammertoss" is its architecture. It can use Twitter account, GitHub account, intruded website, basic steganography and cloud storage function to achieve C2 communication, and then execute commands in the target system under attack.

Report 5

This report analyzes the information stealing Trojan "gamker" in detail.

Gamker uses self coding injection and API hooking to attack. In August 2015, virus bulletin gave a detailed technical analysis of "gamker" in three pages. Compared with the analysis of more than 30 pages given by other manufacturers, the analysis of these three pages is more technical. It is recommended to continue to follow virus bulletin and follow more of their reports.  

The following is the timeline for WikiLeaks to disclose the vault 7 series of documents. For detailed reports, click the keyword hyperlink to read:

ᗙ highrise - an Android malware that intercepts SMS messages and redirects them to a remote CIA server (July 13, 2017)

ᗙ bothanspy & gyrfalcon - tools for stealing SSH login credentials (July 6, 2017)

ᗙ outlawcountry - tools for invading Linux system (June 30, 2017)

ᗙ Elsa - malware that can locate Windows users (June 28, 2017)

ᗙ brutal kangaroo - tools for intrusion isolation network (June 22, 2017)

ᗙ cherryblossom - tools for intrusion into SOHO wireless router (June 15, 2017)

ᗙ pandemics - a tool to replace legitimate files with malicious programs (June 1, 2017)

ᗙ Athena - malware framework developed jointly with a US company (May 19, 2017)

ᗙ aftermidnight and Assassin - Windows malware framework (May 12, 2017)

ᗙ Archimedes: a tool for man in the middle attack (May 5, 2017)

ᗙ scribble - Office document tracking tool (April 28, 2017)

(55931) weeping angel: a tool for invading Samsung smart TV (April 21, 2017)

(55) hive - multi platform intrusion implantation and management control tool (April 14, 2017)

ᗙ grasshopper - Windows malware generator (April 7, 2017)

ᗙ marble framework -- Secret anti supervision framework (March 31, 2017)

ᗙ dark matter -- a tool for invading iPhone and MAC (March 23, 2017)

*Reference source: thn, securityaffairs, angelay compilation, reprint please indicate from