WikiLeaks on Thursday made public a CIA implant that is used to turn a Windows file server into a malware distribution point on the local network.
The documents describing the tool, Pandemic, explain how remote machines on the local network trying to download and-or execute documents from the file server over SMB are infected with “replacement” documents on the fly. The implant swaps out the document with a Trojanized version while it’s in transit, never touching the original document on the file server.
The documentation that was leaked yesterday spans from January 2014 to April 2014 and is for versions 1.0 and 1.1.
The leaks are just the latest CIA tools to be dumped on the internet by the polarizing whistleblower outfit, which has for every Friday since March—save last week—put CIA documents and attacks online for public consumption.
In between are the ShadowBrokers pouring more gasoline on this information-based firestorm promising monthly leaks of not only NSA-built exploits targeting browsers, handsets and Windows 10 computers, but also stolen data allegedly from China, Iran, Russia and North Korea’s nuclear and missile programs.
The ShadowBrokers have already leaked their share of Windows-based exploits and vulnerabilities, the most worrisome being an April disclosure of SMB flaws and attacks that had been patched by Microsoft in March after it was allegedly tipped off by the NSA. One of those SMB exploits, EternalBlue, was of course used to launch and spread the WannaCry ransomware attacks three weeks ago today.
The ShadowBrokers also had their turn in the spotlight this week announcing a pricing structure and delivery schedule for its so-called Monthly Dump Service.
The Pandemic leak does not explain what the CIA’s initial infection vector is, but does describe it as a persistent implant.
“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a ‘Patient Zero’ in the spread of a disease,” WikiLeaks said in its summary description. “‘Pandemic’ targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine.”
The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.
Version 1.1 of Pandemic, according to the CIA’s documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.
“It will infect remote computers if the user executes programs stored on the pandemic file server,” WikiLeaks said. “Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”
The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.
“The goal of Pandemic is to be installed on a machine where the remote users use SMB to download/execute PE (portable executable) files,” the documentation says. “Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file.”