WikiLeaks Vault 7

WikiLeaks published today documentation on the CIA Angelfire project, a malware framework developed to infect Windows computers.

According to a leaked CIA manual, Angelfire is made up of five components, each with its own purpose:

Solartime - Malware that modifies the boot sector to load Wolfcreek.
Wolfcreek - Self-loading driver that can load other drivers and user-mode applications.
Keystone - Component that's responsible for starting other implants (technical term for malware).
BadMFS - a covert file system that is created at the end of the active partition. AngelFire uses BadMFS to store all other components. All files are obfuscated and encrypted.
Windows Transitory File System - a newer component that's an alternative to BadMFS. Instead of storing files on a secret file system, the component uses transitory (temporary) files for the storage system.

According to leaked documents, Angelfire works on 32-bit and 64-bit versions of Windows XP and Windows 7, and on 64-bit versions of Windows Server 2008 R2.

Not the CIA's best work

The Angelfire framework is just another tool in the CIA's arsenal for hacking Windows users. Previous tools include Grasshopper, ELSA, AfterMidnight, and Assassin.

Compared to other tools, Angelfire doesn't appear to be that polished. The leaked documents include a long list of issues.

For example, security products could detect the presence of a BadMFS file system by a file named "zf" and users may see popup alerts when one of the Angelfire components crash.

In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, cannot dynamically adjust this path if Windows is installed on another partition (e.g.: D:\), and DLL persistence on XP is not supported. All in all, this is not the CIA's best work.

Previous Vault 7 leaks

Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:

Weeping Angel - tool to hack Samsung smart TVs
Fine Dining - a collection of fake, malware-laced apps
Grasshopper - a builder for Windows malware
DarkSeaSkies - tools for hacking iPhones and Macs
Scribble - beaconing system for Office documents
Archimedes - a tool for performing MitM attacks
AfterMidnight and Assassin - malware frameworks for Windows
Athena - a malware framework co-developed with a US company
Pandemic - a tool for replacing legitimate files with malware
CherryBlossom - a tool for hacking SOHO WiFi routers
Brutal Kangaroo - a tool for hacking air-gapped networks
ELSA - malware for geo-tracking Windows users
OutlawCountry - CIA tool for hacking Linux systems
BothanSpy & Gyrfalcon - CIA malware for stealing SSH logins
HighRise - Android app for intercepting & redirecting SMS data
Achilles, Aeris, & SeaPea - tools for hacking Mac & POSIX systems
Dumbo - tool to disable webcams and microphones
CouchPotato - tool to capture remote video streams