WikiLeaks Vault 7

Today, WikiLeaks continued its "Vault 7" campaign by dumping another set of CIA files, but this time around, the organization also included the tool's source code, something they have not leaked in previous data dumps.

Today's leak is a Windows tool that watermarks documents against whistleblowers. Dubbed Scribble, the tool is coded in C# and works by embedding a beacon inside Microsoft Office documents.

When a person opens a file watermarked with Scribble, the document automatically loads an image hosted on the document owner's server (in this case, the CIA).

Scribble is a document mass-watermarking utility

The HTTP request is logged on the server, and by keeping an eye on the server log, the CIA can see who, when, and from where is opening watermarked documents.

The purpose of such a tool is obvious, as the CIA might be trying to track documents that are likely to be copied by insiders, whistleblowers, journalists, leakers, or others.

In addition, the tool could also be deployed in field operations, as a way to track the activity and location of persons of interest, based on their IP address (if the target is not using proxies or Tor).

Scribble manual dates to March 2016

The Scribble user manual also leaked today lists a revision date of March 1, 2016, which makes Scribble one of the most recent files included in the Vault 7 ongoing leak.

Other details included in the manual reveal that Scribble can watermark documents for Office versions 97 to 2016. This covers all Office versions, except Office 95.

The document also warns against problems that may arise with watermarks in case the document is password-protected or encrypted.

Furthermore, the watermarks may fail to load if the document is loaded in other office software suites, such as OpenOffice or LibreOffice. For this, the CIA recommends pre-deployment testing.

Users can prevent beacons phoning home via Office Protected View

Users concerned about watermarked documents can prevent the beacon from calling home either by opening documents when offline or by enabling the Office Protected View security feature.

The Scribble manual explains:

Also note that, depending on whether the targeted end-user downloads a watermarked document file from an Internet file server, the Office application may open the document in "Protected View" mode. In this case, the watermark URL will not beacon in until the user pushes the "Enable Editing" button.

Related Articles:

Mozilla Overhauls Content Blocking Settings in Firefox 65

New Technique Recycles Exploit Chain to Keep Antivirus Silent