WikiLeaks
Today, May
12th 2017, WikiLeaks publishes "AfterMidnight" and
"Assassin", two CIA malware frameworks for the Microsoft
Windows platform.
"AfterMidnight"
allows operators to dynamically load and execute malware payloads on
a target machine. The main controller disguises as a self-persisting
Windows Service DLL and provides secure execution of "Gremlins"
via a HTTPS based Listening Post (LP) system called "Octopus".
Once installed on a target machine AM will call back to a configured
LP on a configurable schedule, checking to see if there is a new plan
for it to execute. If there is, it downloads and stores all needed
components before loading all new gremlins in memory. "Gremlins"
are small AM payloads that are meant to run hidden on the target and
either subvert the functionality of targeted software, survey the
target (including data exfiltration) or provide internal services for
other gremlins. The special payload "AlphaGremlin" even has
a custom script language which allows operators to schedule custom
tasks to be executed on the target machine.
"Assassin"
is a similar kind of malware; it is an automated implant that
provides a simple collection platform on remote computers running the
Microsoft Windows operating system. Once the tool is installed on the
target, the implant is run within a Windows service process.
"Assassin" (just like "AfterMidnight") will then
periodically beacon to its configured listening post(s) to request
tasking and deliver results. Communication occurs over one or more
transport protocols as configured before or during deployment. The
"Assassin" C2 (Command and Control) and LP (Listening Post)
subsystems are referred to collectively as" The Gibson" and
allow operators to perform specific tasks on an infected target..
Documents:
Comments
Post a Comment