Vault7

WikiLeaks dumped yesterday the source code of a CIA tool called Marble, which according to previously leaked CIA manuals, the Agency classified as a code obfuscation framework.

The WikiLeaks dump conveniently came a day after the Senate's open hearing on Russian election interference.

Marble is not a tool for planting false flags

Many news agencies incorrectly reported that Marble allows CIA's operators to plant false flags inside the malware they create thanks to a feature that inserts code comments written in various languages such as Chinese, Russian, Korean, Arabic, and Farsi.

In reality, the Marble framework is a banal code obfuscation utility, like many other tools on the malware market.

It's role is to scramble code so human operators can't read it and antivirus engines can't assign it to a known malware family. Nothing more.

Marble is a banal code obfuscator

"Based on less than 30 minutes of code review, I emphatically disagree with the [WikiLeaks] assertion that Marble is used for false flag ops," wrote on Twitter Rendition Infosec founder Jake Williams.

"The [Marble] framework is just a string obfuscation library. It IS interesting, but not in the sense that it would allow for cyber false flag," the expert added. "The Chinese and Russian examples noted by WL only show that the tool was tested for Unicode support, nothing more."

Contents of Marble folder

In the first batch of leaked CIA files, the ones containing CIA manuals and wiki pages, CIA operatives described Marble as follows:

The Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools. When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop. This framework is intended to help us (AED) to improve upon our current process for string/data obfuscation in our tools. [...] The framework allows for obfuscation to be chosen randomly from a pool of techniques. These techniques can be filtered based upon the project needs. If desired, a user may also, select a specific technique to use for obfuscation.

The framework also includes a deobfuscation component for reverting the scrambled code to a readable version when operators need to make changes to the malware's soruce code.

According to WikiLeaks, the Marble framework reached v1.0 in 2015, and was used as late as 2016. The Marble source code is available for download from here and the documentation page is here.