Vault 7: Angelfire

WHISTLEBLOWING - SURVEILLANCE, 4 Sep 2017

WikiLeaks – TRANSCEND Media Service

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).

Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.

Keystone is part of the Wolfcreek implant and responsible for starting malicious user applications. Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran. It always disguises as “C:\Windows\system32\svchost.exe” and can thus be detected in the Windows task manager, if the operating system is installed on another partition or in a different path.

BadMFS is a library that implements a covert file system that is created at the end of the active partition (or in a file on disk in later versions). It is used to store all drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning. Some versions of BadMFS can be detected because the reference to the covert file system is stored in a file named “zf”.

The Windows Transitory File system is the new method of installing AngelFire. Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc. Transitory files are added to the ‘UserInstallApp’.

Leaked Documents:

Angelfire 2.0 — User Guide

BadMFS — Developer Guide

Wolfcreek Docs — Angelfire User Guide

Wolfcreek Docs — Angelfire Test Matrix

Wolfcreek Docs — Notes

________________________________________________

All Releases:

Vault 7: ExpressLane – 24 Aug 2017

Vault 7: CouchPotato – 10 Aug 2017

Vault 7: Dumbo – 3 Aug 2017

Vault 7: Imperial – 27 Jul 2017

Vault 7: CL/Raytheon – 19 Jul 2017

Vault 7: Highrise – 13 Jul 2017

Vault 7: BothanSpy – 6 Jul 2017

Vault 7: OutlawCountry – 29 Jun 2017

Vault 7: Elsa – 28 Jun 2017

Vault 7: Brutal Kangaroo – 22 Jun 2017

Vault 7: Cherry Blossom – 15 Jun 2017

Vault 7: Pandemic – 1 Jun 2017

Vault 7: Athena – 19 May 2017

Vault 7: AfterMidnight & Assassin Frameworks – 12 May 2017

Vault 7: Archimedes – 5 May 2017

Vault 7: Scribbles Project – 28 Apr 2017

Vault 7: Weeping Angel – 21 Apr 2017

Vault 7: Hive Project – 14 Apr 2017

Vault 7: Grasshopper Framework – 7 Apr 2017

Vault 7: Marble Framework – 31 Mar 2017

Vault 7: Project Dark Matter – 23 Mar 2017

Vault 7: CIA Hacking Tools Revealed – 7 Mar 2017

Go to Original – wikileaks.org

Share this article: email mastodon facebook 🔗 copy link

DISCLAIMER: The statements, views and opinions expressed in pieces republished here are solely those of the authors and do not necessarily represent those of TMS. In accordance with title 17 U.S.C. section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. TMS has no affiliation whatsoever with the originator of this article nor is TMS endorsed or sponsored by the originator. “GO TO ORIGINAL” links are provided as a convenience to our readers and allow for verification of authenticity. However, as originating pages are often updated by their originating host sites, the versions posted may not match the versions our readers view when clicking the “GO TO ORIGINAL” links. This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner.

Comments are closed.