CIA hacking tools targeting Windows

These purportedly are a few of the 'secret' tools in the CIA arsenal that target the Windows operating system.

cia cyber
Credit: Dado Ruvic, Reuters

By releasing information about CIA hacking tools, WikiLeaks has given a new meaning to March Madness.

The CIA’s project Fine Dining is intriguing, since it outlines DLL hijacks for Sandisk Secure, Skype, Notepad++, Sophos, Kaspersky, McAfee, Chrome, Opera, Thunderbird, LibreOffice, and some games such as 2048, which the CIA writer “got a good lol out of.” Yet I was curious about what the CIA does to targeted machines running Windows since so many people use the OS.

Nearly everything dealing with the CIA hacking arsenal and Windows is labeled as “secret.” Nicholas Weaver, a computer scientist at the University of California at Berkeley, told NPR that the Vault 7 release is not all that big of a deal, not too surprising the agency hacks. Yet if “Year Zero” was obtained by a non-government hacker compromising the CIA’s system, then that would be a big deal.

Weaver said, “Spies gonna spy, that’s dog bites man. Spy dumps data on WikiLeaks, proving that they exfiltrated it from a top secret system? That’s man bites dog.”

However it was obtained and handed to WikiLeaks for the world to peruse, here are some of the things revealed that the CIA allegedly uses to target Windows.

Persistence modules are listed under Windows>Windows Code Snippets and are labeled as “secret.” This would be used after a target has been infected. In the words of WikiLeaks, persistence is how the CIA would “keep its malware infestations going.”

The CIA’s persistence models for Windows include: TrickPlay, Constant Flow, HighClass, Ledger, QuickWork and SystemUptime.

Of course before malware can persist, it must be deployed. There are four sub-pages listed under payload deployment modules: in-memory executables, in-memory DLL execution, on-disk DLL loading and on-disk executables.

There are eight processes listed as “secret” under payload deployment for on-disk executables: Gharial, Shasta, Speckled, Chorus, Tiger, Greenhorn, Leopard and Spadefoot. The six payload deployment modules for in-memory DLL execution include: Inception, two takes on Hypodermic and three on Intradermal. Caiman is the only payload deployment module listed under on-disk DLL loading.

What might a spook do once inside a Windows box to get the data out? Marked as “secret” under Windows data transfer modules, the CIA purportedly uses:

  • Brutal Kangaroo, a module which “allows for transfer or storage of data by placing it in NTFS Alternate Data Streams.”
  • Pictogram, a module that “transfers or stores data by appending the data to an already existing file such as a jpg or png.”
  • The Glyph module “transfers or stores data by writing it to a file.”

Under function hooking in Windows, which would allow a module to be tapped into to do something specific that the CIA wanted done, the list included: DTRS which hooks functions using Microsoft Detours, EAT_NTRN which modifies entries in EAT, RPRF_NTRN which replaces all references to the target function with the hook, and IAT_NTRN which allows for “easy hooking of Windows API.” All the modules use “alternate data streams which are only available on NTFS volumes” and the sharing levels include the entire Intelligence community.

WikiLeaks said it avoided distributing “armed cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such ‘weapons’ should analyzed, disarmed and published.” Privilege escalation and execution vectors on Windows are among those which were censored.

There are six sub-pages dealing with CIA “secret” privilege escalation modules, but WikiLeaks chose not to make the details available; presumably this is so every cyberthug in the world won't take advantage of them.

CIA “secret” execution vectors code snippets for Windows include EZCheese, RiverJack, Boomslang and Lachesis – all of which are listed but not released by WikiLeaks.

There is a module to lock and unlock system volume information under Windows access control. Of the two Windows string manipulation snippets, only one is labeled as “secret.” Only one snippet of code for Windows process functions is marked as “secret” and the same is true for Windows list snippets.

Under Windows file/folder manipulation, there is one to “create directory with attributes and create parent directories,” one for path manipulation and one to capture and reset file state.

Two “secret” modules are listed under Windows user information. One “secret” module each is listed for Windows file information, registry information and drive information. Naive sequence search is listed under memory searching. There is one module under Windows shortcut files and file typing also has one.

Machine information has eight sub-pages; there are three “secret” modules listed under Windows Updates, one “secret” module under User Account Control – which elsewhere – got a mention under Windows exploitation articles for bypassing User Account Control.

These examples are mere drops in a bucket when it comes to Windows-related CIA files dumped by WikiLeaks so far.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
4 high-growth tech fields with top pay
Shop Tech Products at Amazon