WikiLeaks – CIA used the AngelFire implant infect systems running Windows OSs

A new batch of documents from CIA Vault 7 leaks revealed details about a new implant dubbed AngelFire used to infect systems running Windows OSs.

A new batch of documents from Vault 7 leaks revealed details about a new implant, dubbed AngelFire that was used by CIA agents to infect systems running Windows OS.

AngelFire was part of the CIA arsenal, the hacking tool was used to gain persistence on the infected systems.

The documents describe the AngelFire framework implants as a persistent backdoor that infects the partition Boot Sector. According to the user manual leaked by WikiLeaks, AngelFire requires administrative privileges to compromise the target system.

“Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.” reads Wikileaks.

“Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).”

Below the details for the five components composing the AngelFire framework:

1. Solartime — It is the component that modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.

2. Wolfcreek — It a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications

3. Keystone — It is part of the Wolfcreek implant that leveraged DLL injection to execute the malicious user applications directly into system memory without dropping them into the file system. It is responsible for starting malicious user applications.

4. BadMFS — It is a is a library used to create a covert file system at the end of the active partition (or in a file on disk in later versions). It is used as a repository for the drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning.

5. Windows Transitory File system — It is a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc.

According to the documents, the 32-bit version of the CIA implant works against Windows XP and Windows 7, while the 64-bit implant can be used to infect Server 2008 R2, Windows 7.

Below the list of release published by Wikileaks since March:

AngelFire – 31 August, 2017
ExpressLane – 24 August, 2017
Couchpotato – 10 August, 2017
Dumbo– 03 August, 2017
Imperial – 27 July, 2017
UCL/RAYTHEON – 19 July, 2017
HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Wikileaks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.