Pierluigi Paganini April 07, 2017

Wikileaks published a new batch of 27 documents detailing the Grasshopper framework used by its agents to create custom installers for Windows malware.

WikiLeaks continues to disclose documents included in the CIA Vault 7 archive, on Friday published a new batch of 27 documents detailing a framework, dubbed Grasshopper, allegedly used to create custom installers for Windows malware.

The Grasshopper framework allows CIA operators to build a custom payload, run it and analyzed the results of the execution.

The leaked documents compose a user guide classified as “secret” that was available to the CIA cyber spies.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

The dropper described in the Grasshopper manual should be loaded and executed only in memory, the framework allows creating custom malware that is able to compromise the target system bypassing the antivirus it is using.

“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” reads the manual. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”

Each executable generated with the Grasshopper framework contains one or more installers.

The framework offers to the operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).

“An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation” continues the manual.

One of the persistence mechanisms reported in the user guide is called Stolen Goods, basically, the CIA exploited the mechanisms implemented by the malicious codes used by crooks in the wild.

For example, the CIA has modified some components of the popular Carberp rootkit.

“The persistence method and parts of the installer were taken and modified to fit our needs,” reads a leaked document. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”

Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours, this technique uses a series of DLLs specified in the registry.

WikiLeaks has already leaked the “Year Zero” batch which contains detailed info on the CIA hacking exploits and the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs. A few days ago, WikiLeaks published the third batch called “Marble,” a collection of files describing the CIA anti-forensics tool dubbed Marble framework.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CIA Grasshopper framework, hacking)