Short Bytes: As a part of the ongoing CIA Vault 7 series, WikiLeaks has published some new documents. The leaks share details regarding CIAs partnership withRaytheon Blackbird Technologies, which helped CIA with insights into the malware development. The documents also briefly describe 5 CIA-Raytheon malware and their attack vectors. <\/p>\n
The leaked documents were submitted to the CIA between 21st Nov2014 and 11th Sep2015. The documents submitted by Raytheon contained proof-of-concept assessments for malware attack vectors. <\/p>\n
It should be noted thatRaytheon acted as a technology scout for CIAs Remote Development Branch (RDB). The scout made recommendations to the CIA teams for further research and malware development. <\/p>\n
So, without further delay, lets tell you about the 5 CIA-Raytheon malware described in the leaked documents: <\/p>\n
The first document gives an introduction to a new variant of the HTTPBrowserRemote Access Tool (RAT). The malwares dropper has a zip file that contains3 files. This RAT captures keystrokes and writes it to a file. It continuously talks to the C&C (command and control) server in clear text communications. <\/p>\n
NfLogRAT is also known as IsSpace. This new malware variant is deployed using the leaked Hacking Team Adobe Flash exploit which uses CVE 2015-5122. For C&C communications, NfLog also uses the Google App Engine. By using UAC bypass technique, it attempts UAC bypass and privilege escalation on Windows operating system. <\/p>\n
Reign is a sophisticated malware sample that has been in use as early as 2008, with its new iteration appearing in 2013. What makes Reign special is its modular architecture that grants flexibility to the attackers. It also features the capability to hide itself from detection. The attack via Reign is carried out in 5 stages, with the last granting functionalities like file system access, networking, event logging, port loading, rootkit functions, etc. <\/p>\n
HammerToss is probably a Russian-sponsored malware. It leverages compromised websites, GitHub, Twitter accounts, and cloud storage for taking care of theC&C functions. Written in C#, HammerToss uses a dedicated program to create new Twitter accounts and use them to execute commands and get the data uploaded by the victim. <\/p>\n
Gamker is an information stealing Trojan that uses the process of self-code injection to make sure that nothing is written to disk. Gamker is also able to gain someobfuscation characteristics by using Assembly language instruction in hooking routine. <\/p>\n
Have something to add to this story? Dont forget to share your views with us. <\/p>\n
Source: WikiLeaks <\/p>\n
Read our complete WikiLeaksVault 7 coverage here. <\/p>\n
<\/p>\n