WikiLeaks published today documentation on the CIA Angelfire project, a malware framework developed to infect Windows computers.
According to a leaked CIA manual, Angelfire is made up of five components, each with its own purpose:
According to leaked documents, Angelfire works on 32-bit and 64-bit versions of Windows XP and Windows 7, and on 64-bit versions of Windows Server 2008 R2.
The Angelfire framework is just another tool in the CIA's arsenal for hacking Windows users. Previous tools include Grasshopper, ELSA, AfterMidnight, and Assassin.
Compared to other tools, Angelfire doesn't appear to be that polished. The leaked documents include a long list of issues.
For example, security products could detect the presence of a BadMFS file system by a file named "zf" and users may see popup alerts when one of the Angelfire components crash.
In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, cannot dynamically adjust this path if Windows is installed on another partition (e.g.: D:\), and DLL persistence on XP is not supported. All in all, this is not the CIA's best work.
Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps: