WikiLeaks Vault 7

WikiLeaks dumped 27 documents today as part of the "Vault 7" series of leaked documents, which the organization claims to belong to the CIA.

Codenamed "Grasshopper," these are 27 manuals describe a CLI-based builder for assembling malware-laced Windows installers.

CIA internal wiki pages describing the Grasshopper framework were first leaked at the start of March with the initial Vault 7 announcement. The Grasshopper guides leaked today contain more in-depth information and are training guides for CIA operatives.

Grasshopper used to assemble the CIA's malware installers

According to the leaked documents, CIA operatives must have some sort of technical information on their targets before using Grasshopper.

Based on what operating system the target uses, what antivirus he's employing, and other technical details, the Grasshopper framework automatically puts together several components adequate for the job.

To put together these components, operatives used a custom rule-based language to write build configs.

Grasshopper builer config

In the end, Grasshopper delivers a Windows installer that field operatives can run on a target's machine and install their malware.

The usage of a pre-infection form to deliver the most appropriate malware payload has also been seen in Fine Dining, another CIA toolkit that consists of malware-laced portable applications.

Grasshopper is very modular, adapts to any operation

Below is how the latest Grasshopper manual (v2.0.2) describes Grasshopper's modular architecture:

A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components. Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.

As you can see, the CIA designed Grasshopper to be as malleable as possible, decoupling the installer from the final payload. The Grasshopper builder allows operatives to select the components they need for each operation and deliver a payload of their choice.

The leaked documents intimate that Grasshopper installers can deliver payloads in EXE, DLL, SYS, or PIC formats, for x86 and x64 architectures, and payloads for getting persistence. In addition, Grasshopper can produce installers with built-in malicious payloads, or the payloads can be delivered at run-time from other locations.

According to the leaked documents, the CIA claims "the installation executable should be loaded into and executed solely within memory," which means it is harder to pick up by traditional signature-based antivirus solutions. In fact, a lot of effort has been put into avoiding security products overall, which is consistent with the main rule of cyber-espionage, the one that says stealth is more important than results.

Grasshopper borrowed code from the Carberp rootkit

Along with the Grasshopper user guides, WikiLeaks also leaked the manual for Stolen Goods, one of the Grasshopper components used with installers to assure persistence on infected hosts.

The document reveals that parts of Stolen Goods, as the name implies, were taken from the Carberp rootkit, used by the eponymous Russian cybercrime gang.

The persistence method, and parts of the installer, were taken and modified to fit our needs.  All components taken from Carberp were carefully analyzed for hidden functionality, backdoors, vulnerabilities, etc.. A vast majority of the original Carberp code that was used has been heavily modified.  Very few pieces of the original code exist unmodified.

Previously, it was discovered that the CIA also borrowed code from other malware families, such as HiKit, Shamoon, UpClicker, and the Nuclear Exploit Kit.