Vault 7

Today, Wikileaks published more documents part of its Vault 7 CIA exposé series, revealing new manuals for three tools named Achilles, Aeris, and SeaPea, part of a larger CIA project named Imperial.

Each of the three tools has a different purpose, being developed to target only a specific set of operating systems.


The first of these tools is named Achilles and this is a utility for trojanizing macOS DMG installers.

According to a one-page user guide released by WikiLeaks, Achilles allows an operator to bind an executable to a DMG file for a one-time execution.

Running the DMG file installs the original app, installs the payload, and then removes the payload from the DMG file. Using a one-time execution routine is typical to US cyber-intelligence, who are known to put a lot of effort into remaining undetected on targeted machines.


The second CIA hacking tool manual released today is for a tool called Aeris, which is an implant (malware) for POSIX systems.

According to the document, Aeris is written in C and can work on the following operating systems:

Debian Linux 7 (i386)
Debian Linux 7 (amd64)
Debian Linux 7 (ARM)
Red Hat Enterprise Linux 6 (i386)
Red Hat Enterprise Linux 6 (amd64)
Solaris 11 (i386)
Solaris 11 (SPARC)
FreeBSD 8 (i386)
FreeBSD 8 (amd64)
CentOS 5.3 (i386)
CentOS 5.7 (i386)

Under the hood, Aeris includes features specific to data exfiltration utilities, usually used to steal information from targeted hosts via secure TLS-encrypted channels.

The Aeris manual doesn't include details of how the data is collected, most likely meaning its part of a larger attack chain and CIA operators must use other tools to compromise systems, identify desired data, download Aeris, and only then exfiltrate any collected information.


The third and final manual released today is for an OS X rootkit named SeaPea. This tool's manual was previously released in another WikiLeaks CIA dump named DarkSeaSkies, a collection of tools for hacking Macs and iPhones, released in March.

To review, SeaPea provides CIA operators with a kernel-level implant that allows them to persist infections on OS X systems between system reboots.

Additional capabilities include the ability to hides files or directories, start socket connections or launch desired (malicious?) processes.

The SeaPea manual is old, being dated to the summer of 2011, and lists as "tested operating systems" two very old OS X versions — Mac OS X  10.6 (Snow Leopard) and Mac OS X 10.7 (Lion).

Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:

Weeping Angel - tool to hack Samsung smart TVs
Fine Dining - a collection of fake, malware-laced apps
Grasshopper - a builder for Windows malware
DarkSeaSkies - tools for hacking iPhones and Macs
Scribble - beaconing system for Office documents
Archimedes - a tool for performing MitM attacks
AfterMidnight and Assassin - malware frameworks for Windows
Athena - a malware framework co-developed with a US company
Pandemic - a tool for replacing legitimate files with malware
CherryBlossom - a tool for hacking SOHO WiFi routers
Brutal Kangaroo - a tool for hacking air-gapped networks
ELSA - malware for geo-tracking Windows users
OutlawCountry - CIA tool for hacking Linux systems
BothanSpy & Gyrfalcon - CIA malware for stealing SSH logins
HighRise - Android app for intercepting & redirecting SMS data

Related Articles:

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

iSH - An iOS Linux Shell for Your iPhone or iPad

Microsoft is Porting Sysinternals Tools to Linux - ProcDump Released

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

Mac CryptoCurrency Price Tracker Caught Installing Backdoors