WikiLeaks drops another cache of ‘Vault7’ stolen tools

The WikiLeaks “Vault 7” almost-weekly drip-drip-drip of confidential information on the cybertools and tactics of the CIA continued last week.

The latest document dump is a trove from agency contractor Raytheon Blackbird Technologies for the so-called “UMBRAGE Component Library” (UCL) Project, which includes reports on five types of malware and their attack vectors.

This is the 17th release of specific CIA hacking or surveillance tools since the initial announcement by WikiLeaks on March 7.

According to a statement announcing the latest release:

The documents were submitted to the CIA between November 21st 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.

Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

The component library includes:

A new variant of the HTTPBrowser Remote Access Tool (RAT), used by a threat actor known as “Emissary Panda,” believed to be in China, which was built in 2015. It is a keylogger, and according to Raytheon captures keystrokes  “using the standard RegisterRawInputDevice() and GetRawInput() APIs and writes the captured keystrokes to a file”.

A new variant of the NfLog RAT, also known as IsSpace and used by “Samurai Panda”. It is, according to Raytheon, “a basic RAT that polls C2 servers every 6 seconds awaiting an encoded response”. If it detects that a user has administrative privileges, “it will attempt to reload itself using the elevated permissions”.

Regin, described as “a very sophisticated malware sample,” which has been around since 2013. It is used for target surveillance and data collection. Raytheon said it has a six-stage, modular architecture that “affords a high degree of flexibility and tailoring of attack capabilities to specific targets”. It is also stealthy, with an, “ability to hide itself from discovery, and portions of the attack are memory resident only”.

HammerToss, a suspected Russian state-sponsored malware, which became operational in 2014 and was discovered in 2015, uses Twitter accounts, GitHub or compromised websites, and cloud storage to arrange the command and control operations for the malware. It is considered the most sophisticated malware of the five in the current release.

Gamker, an information-stealing Trojan that “uses an interesting process for self-code injection that ensures nothing is written to disk”.

As WikiLeaks noted in its announcement, these were all malware attacks found in the wild, and therefore not secret. But the CIA’s hope clearly was that they would lead to development of “their own malware projects” – to be used to conduct attacks not just on individual computers or systems, but social media platforms like Twitter as well.