Pierluigi Paganini April 01, 2017

WikiLeaks has published the third batch of documents dubbed Marble that revealed the CIA anti-forensics tool dubbed Marble framework.

WikiLeaks released the third batch of the CIA Vault7 archive that shed light the anti-forensics tools used by the intelligence Agency,

The first tranche of CIA documents from Vault7 was related to hacking tools and techniques, while the second batch included detailed info about hacking tools specifically designed to hack SmartTV, Android handhelds, Apple iPhones, Macs and Windows systems.

This third lot of documents, dubbed Mable, includes the source code files for the anti-forensic Marble Framework. It contains 676 source code files of a secret anti-forensic Marble Framework.

The experts from the CIA have developed the Marble Framework to make hard forensics activities on its malicious codes.

The code used by the CIA was able to evade detection implementing various techniques, for example, it is able to detect if the code runs in virtual machine sandbox.

The Marble platform makes hard the attribution of the attacks, the documents show how CIA can conduct a cyber attack in a way experts attributed it to other countries, including Russia, China, North Korea and Iran.

“Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.” reads Wikileaks.

“Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”

The CIA Marble Framework platform includes algorithms to insert into the malware source code multiple strings in various languages to make hard the attribution. Using such kind of techniques malware authors try to trick victims into believing that the malware was developed by American/English Vxers.

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi.” continues Wikileaks. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages.”

Marble Framework does not contain any vulnerabilities or exploits.

The Marble dump also includes a deobfuscator to reverse CIA text obfuscation, using it experts can identify patterns of attacks conducted by the CIA and attribute previous hacking attacks and malicious codes to the Agency. Marble was in use at the CIA during 2016, in 2015 the cyber spies were using the 1.0 version.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Vault 7, Marble framework)