{"id":98022,"date":"2017-09-04T12:00:57","date_gmt":"2017-09-04T11:00:57","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=98022"},"modified":"2017-09-04T10:10:43","modified_gmt":"2017-09-04T09:10:43","slug":"vault-7-angelfire","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/09\/vault-7-angelfire\/","title":{"rendered":"Vault 7: Angelfire"},"content":{"rendered":"

\"\"<\/a>Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire<\/em> project of the CIA. Angelfire<\/em> is an implant comprised of five components: Solartime, Wolfcreek<\/em>, Keystone (previously MagicWand), BadMFS<\/em>, and the Windows Transitory File system. Like previously published CIA projects (Grasshopper<\/a> and AfterMidnight<\/a>) in the Vault7<\/a> series<\/a>, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).<\/p><\/blockquote>\n

Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek<\/em> implant, that once executed, can load and run other Angelfire<\/em> implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.<\/p>\n

Keystone is part of the Wolfcreek<\/em> implant and responsible for starting malicious user applications. Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran. It always disguises as “C:\\Windows\\system32\\svchost.exe” and can thus be detected in the Windows task manager, if the operating system is installed on another partition or in a different path.<\/p>\n

BadMFS<\/em> is a library that implements a covert file system that is created at the end of the active partition (or in a file on disk in later versions). It is used to store all drivers and implants that Wolfcreek<\/em> will start. All files are both encrypted and obfuscated to avoid string or PE header scanning. Some versions of BadMFS<\/em> can be detected because the reference to the covert file system is stored in a file named “zf”.<\/p>\n

The Windows Transitory File system is the new method of installing AngelFire<\/em>. Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire<\/em>, removing files from AngelFire<\/em>, etc. Transitory files are added to the ‘UserInstallApp’.<\/p>\n

\"\"<\/a><\/p>\n

\n

Leaked Documents:<\/h2>\n

Angelfire 2.0 — User Guide <\/a><\/p>\n

BadMFS — Developer Guide <\/a><\/p>\n

Wolfcreek Docs — Angelfire User Guide <\/a><\/p>\n

Wolfcreek Docs — Angelfire Test Matrix <\/a><\/p>\n

Wolfcreek Docs — Notes <\/a><\/p><\/blockquote>\n

________________________________________________<\/p>\n

All Releases:<\/em><\/h2>\n

Vault 7: ExpressLane<\/a> \u2013 24 Aug 2017<\/em><\/p>\n

Vault 7: CouchPotato<\/a> \u2013 10 Aug 2017<\/em><\/p>\n

Vault 7: Dumbo<\/a> \u2013 3 Aug 2017<\/em><\/p>\n

Vault 7: Imperial<\/a> \u2013 27 Jul 2017<\/em><\/p>\n

Vault 7: CL\/Raytheon<\/a> \u2013 19 Jul 2017<\/em><\/p>\n

Vault 7: Highrise<\/a> \u2013 13 Jul 2017<\/em><\/p>\n

Vault 7: BothanSpy<\/a> \u2013 6 Jul 2017<\/em><\/p>\n

Vault 7: OutlawCountry<\/a> \u2013 29 Jun 2017<\/em><\/p>\n

Vault 7: Elsa<\/a> \u2013 28 Jun 2017<\/em><\/p>\n

Vault 7: Brutal Kangaroo<\/a> \u2013 22 Jun 2017<\/em><\/p>\n

Vault 7: Cherry Blossom<\/a> \u2013 15 Jun 2017<\/em><\/p>\n

Vault 7: Pandemic<\/a> \u2013 1 Jun 2017<\/em><\/p>\n

Vault 7: Athena<\/a> \u2013 19 May 2017<\/em><\/p>\n

Vault 7: AfterMidnight & Assassin Frameworks<\/a> \u2013 12 May 2017<\/em><\/p>\n

Vault 7: Archimedes \u2013<\/a> 5 May 2017<\/em><\/p>\n

Vault 7: Scribbles Project<\/a> \u2013 28 Apr 2017<\/em><\/p>\n

Vault 7: Weeping Angel<\/a> \u2013 21 Apr 2017<\/em><\/p>\n

Vault 7: Hive Project<\/a> \u2013 14 Apr 2017<\/em><\/p>\n

Vault 7: Grasshopper Framework<\/a> \u2013 7 Apr 2017<\/em><\/p>\n

Vault 7: Marble Framework<\/a> \u2013 31 Mar 2017<\/em><\/p>\n

Vault 7: Project Dark Matter<\/a> \u2013 23 Mar 2017<\/em><\/p>\n

Vault 7: CIA Hacking Tools Revealed<\/a> \u2013 7 Mar 2017<\/em><\/p>\n

Go to Original \u2013 wikileaks.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-98022","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/98022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=98022"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/98022\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=98022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=98022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=98022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}