Intelligence

WikiLeaks leaked files on the Grasshopper framework, a CIA Tool for creating customized malware installers

Wikileaks published a new batch of 27 documents detailing the Grasshopper framework used by its agents to create custom installers for Windows malware.

WikiLeaks continues to disclose documents included in the CIA Vault 7 archive, on Friday published a new batch of 27 documents detailing a framework, dubbed Grasshopper, allegedly used to create custom installers for Windows malware.

The Grasshopper framework allows CIA operators to build a custom payload, run it and analyzed the results of the execution.

The leaked documents compose a user guide classified as “secret” that was available to the CIA cyber spies.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

The dropper described in the Grasshopper manual should be loaded and executed only in memory, the framework allows creating custom malware that is able to compromise the target system bypassing the antivirus it is using.

“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” reads the manual. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”

Each executable generated with the Grasshopper framework contains one or more installers.

The framework offers to the operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).

“An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation” continues the manual.

One of the persistence mechanisms reported in the user guide is called Stolen Goods, basically, the CIA exploited the mechanisms implemented by the malicious codes used by crooks in the wild.

For example, the CIA has modified some components of the popular Carberp rootkit.

“The persistence method and parts of the installer were taken and modified to fit our needs,” reads a leaked document. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”

Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours, this technique uses a series of DLLs specified in the registry.

WikiLeaks has already leaked the “Year Zero” batch which contains detailed info on the CIA hacking exploits and the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs. A few days ago, WikiLeaks published the third batch called “Marble,” a collection of files describing the CIA anti-forensics tool dubbed Marble framework.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CIA Grasshopper framework, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.