Vault 7

While the world was busy dealing with the WannaCry ransomware outbreak, last Friday, about the time when we were first seeing a surge in WannaCry attacks, WikiLeaks dumped new files part of the Vault 7 series.

This time around, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin, two very simplistic malware frameworks, allegedly developed and stolen from the CIA.

AfterMidnight

The first of the two is AfterMidnight. In simple terms, and based on the data contained in AfterMidnight's documentation, this tool is a malware installed on a target's PC as a DLL file that works as a backdoor.

The DLL persists between PC reboots and connects to a C&C server via HTTPS, from where it downloads modules to execute. The manual refers to these modules under the name of Gremlins, or Gremlinware.

To work, AfterMidnight needs a constant Internet connection because if the tool can't reach its C&C server, it will not launch any of its modules into execution.

AfterMidnight's modules are divided into three categories: (1) modules that provide data exfiltration capabilities, (2) modules that subvert the functionality of local software, and (3) modules that provide internal services and functionality for other modules.

Of these, by far, the most interesting modules are the ones that subvert local software. From the AfterMidnight documentation:

The Process Gremlin has the capability to subvert the execution of existing or started processes in a few annoying ways by either temporarily delaying the execution of a process, killing an existing process, or “locking up” a process permanently, requiring the user to manually kill the process. These activities can be set to occur after a set period of time (plus or minus a jitter) and can be set to only affect a certain percentage of target processes.

These subversion modules can kill or delay existing or new processes, and work based on finely tuned configuration files.

The AfterMidnight manual also includes two examples of how to use the malware. For one example, the CIA manual shows operatives how to create malware that prevents the user from using his browser, so he spends more time on his work applications, and they can collect more data. This example includes configurations samples that will kill all Internet Explorer and Firefox executables every 30 seconds.

AfterMidnight code

AfterMidnight code

The second example shows how to create an AfterMidnight build that will "annoy the [...] target whenever they use PowerPoint (because, face it, they deserve it for using PP)." This example includes configurations on how to lock up 50% of PowerPoint resources every 10 minutes, or how to delay the start of PowerPoint slides by 30 seconds.

AfterMidnight code

AfterMidnight code

Basically, the CIA created some sort of nagware for playing pranks and sabotaging user software.

Assassin

The second manual included in last week's WikiLeaks dump is for Assassin, a malware framework that is very similar to AfterMidnight.

Assassin includes a builder, an implant, a command-and-control (C&C) server, and a listening post (an intermediary between the Assassin malware implant and the C&C server).

The Assassin implant is designed to run as a service on the victim's Windows computer and is used mainly for execution a precise series of tasks, collecting, and then exfiltrating user data, aka, your regular backdoor trojan behavior.

Last Friday's leak is part of a WikiLeaks series called "Vault 7," during which the organization dumped the documentation and user manuals of several other alleged CIA hacking tools.WikiLeaks says it received these tools from hackers and whistleblowers.

You can follow our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:

Weeping Angel - tool to hack Samsung smart TVs
Fine Dining - a collection of fake, malware-laced apps
Grasshopper - a builder for Windows malware
DarkSeaSkies - tools for hacking iPhones and Macs
Scribble - beaconing system for Office documents
Archimedes - a tool for performing MitM attacks