Today, Wikileaks published more documents part of its Vault 7 CIA exposé series, revealing new manuals for three tools named Achilles, Aeris, and SeaPea, part of a larger CIA project named Imperial.
Each of the three tools has a different purpose, being developed to target only a specific set of operating systems.
The first of these tools is named Achilles and this is a utility for trojanizing macOS DMG installers.
According to a one-page user guide released by WikiLeaks, Achilles allows an operator to bind an executable to a DMG file for a one-time execution.
Running the DMG file installs the original app, installs the payload, and then removes the payload from the DMG file. Using a one-time execution routine is typical to US cyber-intelligence, who are known to put a lot of effort into remaining undetected on targeted machines.
The second CIA hacking tool manual released today is for a tool called Aeris, which is an implant (malware) for POSIX systems.
According to the document, Aeris is written in C and can work on the following operating systems:
Under the hood, Aeris includes features specific to data exfiltration utilities, usually used to steal information from targeted hosts via secure TLS-encrypted channels.
The Aeris manual doesn't include details of how the data is collected, most likely meaning its part of a larger attack chain and CIA operators must use other tools to compromise systems, identify desired data, download Aeris, and only then exfiltrate any collected information.
The third and final manual released today is for an OS X rootkit named SeaPea. This tool's manual was previously released in another WikiLeaks CIA dump named DarkSeaSkies, a collection of tools for hacking Macs and iPhones, released in March.
To review, SeaPea provides CIA operators with a kernel-level implant that allows them to persist infections on OS X systems between system reboots.
Additional capabilities include the ability to hides files or directories, start socket connections or launch desired (malicious?) processes.
The SeaPea manual is old, being dated to the summer of 2011, and lists as "tested operating systems" two very old OS X versions — Mac OS X 10.6 (Snow Leopard) and Mac OS X 10.7 (Lion).
Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps: