The leaked documentation of the CIA’s “Vault 7” is a library of all sorts of ways our government (the US government) is allegedly using your own PC to spy on you!
Here are eight CIA operations that have allegedly been used to spy on you!
Weeping Angel
If you have a Samsung Smart TV, and you don’t already know, it may be spying on you. In leaked information released by Wikileaks, the spy agency allegedly has a tool that allows for a “fake” off mode that makes the television appear to be off, but keeps it powered so spies can capture audio and potentially video from anything within range of the TV.
Thankfully, this only applies to television systems from 2012 and 2013 running a specific firmware. If you’re one of the folks who have a Samsung TV from this time-frame, turn the TV off and check the back of it. If you see a blue LED lit up, you’ve got one of the ones that the CIA and other potential agencies can use to listen in on your conversations.
Flash Bang
Flash Bang is a tool designed to be able to migrate from a browser process (using sandbox breakout), escalate privileges, and memory load a NOD Persistence Spec dll. To do these things Flash Bang is broken into two parts: FlashBangLoader.dll and FlashBang.dll. FlashBangLoader.dll runs from within the browser process for the duration of execution. FlashBang.dll is written to disk and never runs from within the browser. When loaded into the browser process (Fire and Forget Spec), FlashBangLoader.dll writes FlashBang.dll to disk and then uses the PEULinkedIn_x86x64 privilege escalation module to break out of the sandbox and escalate privileges. Once the tool escalates privileges, it memory loads a NOD Persistence spec dll.
Translation: This one is triggered through malicious code when visiting a website that the CIA has infiltrated. Both files are downloaded and one is used to give the other administrative (elevated) access to your PC. When it’s given this level of access, it’s capable of doing whatever it wants to. In this case, it adds malicious code that will always be memory resident (residing in your RAM) so long as your computer is on and will reload when rebooted.
RickyBobby
RickyBobby 4.x is developed by IOC/EDG/AED/Operational Support Branch (OSB) as a lightweight implant for target computers running newer versions of Microsoft Windows and Windows Server. The RickyBobby implant enables COG operators to upload and download files and execute commands and executables on the target computer without detection as malicious software by personal security products (PSPs). RickyBobby 4.x improves upon previous versions of RickyBobby by being easier to install, task using the Listening Post (LP), and manage multiple implant installations.
RickyBobby 4.x is comprised of several .NET DLLs and a Windows PowerShell script. RickyBobby uses Windows PowerShell to download and dynamically execute the .NET DLLs in memory. OSB chose Windows PowerShell as the execution vector because it is installed by default on all Microsoft’s operating systems since Windows Vista and it runs as trusted, Microsoft-signed process. RickyBobby 4.x can be installed remotely or with physical access to the target computers using batch files.
Translate: RickyBobby is mentioned in a few of the other projects as the malicious code they would add to a PC once it has been compromised. Once installed on a PC or Server, it will allow a remote operator to use PowerShell to remotely execute programs and do other nasty bits to the compromised computer, all with full Admin privileges.
Fight Club
Fight Club is an umbrella crypt for the set of tools provided for the JQJINDISCREET QRC effort. For this effort, COG requested a prioritized development in which trojans would be built to drop and install Ricky Bobby 3.0. The trojans would be spread across 6 thumbdrives intended to be inserted into the supply chain of a target network/group. Upon opening any of the weaponized applications, the Ricky Bobby 3.0 would become installed on the machine. This is a configured Ricky Bobby 3.0. Ricky Bobby is persisted via scheduled tasks.
COG provided the following prioritization of applications for trojaning: VLC Player, Win-Rar, TrueCrypt, ConnectifyMe, Shamela Reader, Microsoft Office Standalone Installer, Adobe Reader Installer. EDG was able to supply the following trojans in the operational timeline: VLC Player, Win-Rar, TrueCrypt, Shamela. The six thumbdrives sent to the field for operational use had 4 self-extracting Win-Rars (Wraith), 2 VLC players, 2 TrueCrypt applications, 2 Shamela applications. Cover documents included TrueCrypt containers with keys, videos, documents, and images.
Translation: Through the use of very common programs found on virtually any PC, including a few that are meant to avoid this sort of issue such as Truecrypt, Fight Club is used to install Ricky Bobby on unsuspecting systems giving the agency full access to the infected computer or server.
Be careful of what you download!
HammerDrill
HammerDrill is a CD/DVD collection tool that collects directory walks and files to a configured directory and filename pattern as well as logging CD/DVD insertion and removal events. v2.0 adds a gap jumping capability that Trojans 32-bit executables as they are being burned to disc by Nero. Additionally, v2.0 adds an status, termination and an on-demand collection feature controlled by HammerDrillStatus.dll, HammerDrillKiller.dll and HammerDrillCollector.dll. The logging now also fingerprints discs by hashing the first two blocks of the ISO image, which enables unique identification of multi-sessions discs even as data is added and removed. The log also logs anytime a HammerDrill trojaned binary is seen on a disc.
Translation: HammerDrill appears to be used to infiltrate air-gapped PCs with their trojan horses and other exploits.
For those that may not know, an air-gapped PC is one that has never been connected to the Internet. The only way to add programs to one of these systems is physically attach a thumbdrive or use a CD/DVD drive to install them.
As folks would generally download what they needed on another computer and burn it to disk to install on one of these internetless PCs, HammerDrill is a trojan horse that hides in CD/DVD burning utilities and attaches itself to the media device so it can be installed on the air-gapped system. This project would require an agent to physically be at the location of the PC in order to recover any information that the malicious code reveals though.
Rain Maker
RainMaker v1.0 is a survey and file collection tool built for a FINO QRC operation. IOC/FINO is looking to expand asset-assisted operations. The intended CONOPS involves using an asset to gain access to a target network. The asset has the ability to plug in a personal thumbdrive to the network. In this scenario, the asset will have “downloaded” the portable version of VLC player (2.1.5) and will listen to music during work hours. While she is listening to music, the tool will execute the survey and a prioritized file collection. All collected data will be stored to the root of the removable media it is executing from. When the asset next meets with the case officer, the thumbdrive is retrieved and the collection is processed.
The configuration of RainMaker allows to the user to split or combine the configuration and infection steps. This was done to allow for expansion in future efforts that may require a different infections step. When configuring Rain Maker v1.0 the user is given the following options:
Prioritized list of directories to collect files from (environment variables allowed) A list of extensions or patterns the file name must meet (*.doc*) The amount of free space to be left on the drive The path to the VLC player to infect The relative path from the VLC player where the encrypted container should be stored
Translation: This seems to be one that is used by a field agent. They would plug in a thumbdrive with an infected version of VLC and begin listening to music. While they’re enjoying the beats of their favorite singer the malicious code that came along with the player is harvesting all of the private information found on the PC. It’s interesting that they specified a “she” instead of “they”. It makes it look as if there was a specific target in mind for this project.
Melomy DriveIn
Melomy DriveIn uses a DLL hijack in VLC player that once launched will drop and run RickyBobby 4. It uses simple buffer to encrypt the RB header using the volume serial number as the key.
Translation: This project consists of a module that hacks into VLC Player and adds their own trojan to give access to your system when you open a video using the media program.
Smart gadgets
As if your PC wasn’t enough to worry about. In this day and age, everything is connected to the Internet in some way. Heck, even a coffee maker can come equipped with WiFi capability! As we’ve found out about the Wikileaks release today, not even those devices are safe from eaves dropping and infiltration!
Any device that can connect to the Internet is prone to be attacked in some way.
The most concerning is the alleged infection of Android and Apple phones by the clandestine organization.
“The CIA attacks this software by using undisclosed security vulnerabilities (“zero days”) possessed by the CIA but if the CIA can hack these phones then so can everyone else to has obtained or discovered the vulnerability,” WikiLeaks said. “As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.”
It’s scary to think that a government agency could have the capability of installing software without the knowledge of those who create the operating system.
All information was found on Wikileaks.com and therefore cannot be confirmed due to the nature of the content. As we cannot fully confirm these projects as facts, we look at them as projects that allegedly exist, but lean strong towards being the truth.
