WikiLeaks released details on what it claims are two frameworks for malware samples dubbed AfterMindnight and Assassin, both allegedly developed by the U.S. Central Intelligence Agency. The revelations come amid worldwide efforts to squelch variants of the WannaCry ransomware, an offensive hacking tool allegedly developed by the National Security Agency.
The release is also the latest from WikiLeaks and part of its ongoing Vault 7 dump of leaks that began in March exposing CIA activities and capabilities. This latest release includes five documents that explain how agents might load and execute malware on targeted computers.
AfterMidnight, according to WikiLeaks documents, disguises itself as a self-persisting Windows Service DLL with the purpose of providing secure execution of “Gremlins” via an HTTPS based Listening Post called Octopus. The alleged CIA documents describe “Gremlins” as small payloads meant to run hidden on a targeted PC. Their purpose is to either “subvert the functionality of targeted software, survey the target (including data exfiltration), or provide internal services for other gremlins,” according to WikiLeaks.
“Once installed on a target machine (AfterMindnight) will call back to a configured (Listening Post) on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory,” it wrote.
In one example, pulled from the AfterMidnight 68-page user guide, the CIA appears to have a unique objective when it comes to “subverting the functionality” of software on targeted PCs.
“This example will simulate an operation with two target computers. The goal will be to prevent one target from using their web browser (so that he can get more work done) and we’ll annoy the other target whenever they use PowerPoint (because, face it, they deserve it for using PP),” read to the alleged CIA user guide.
According to the WikiLeaks description of Assassin, the malware is similar in function to AfterMindnight and acts as a collection platform on remote computers for Windows PCs.
“Once the tool is installed on the target, the implant is run within a Windows service process. Assassin will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment,” according to the 204-page guide.
Assassin FAQs include; “The implant is uploading too much data; how can I slow it down?” and “Can I run multiple Assassin Implants on a target at the same time?” and “How can I export a commonly used task for later use?”
The Assassin toolset, according to the user manual, uses a modified RC4 stream cipher to provide cryptographic services. Any data stored on the target file system or sent over the wire is encrypted prior to potential exposure, it read.
Last month, WikiLeaks released details on a document tracking program called Scribbles, part of the agency’s effort to keep tabs on documents leaked to whistleblowers and journalists. Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.
