More hacking tools and malware frameworks

It's amazing how the media speaks about WannaCry and cyberattacks again and again on TV, radio and news but it seems to forget other kind of cyberwar that we have today. The Athena project, After Midnight and Assassin, Archimedes and the Scribbles project are just some hacking tools and malware frameworks developed by the CIA to exploit Microsoft operating systems for surveillance and gathering foreign intelligence. This week, I'm going to write again about more astonishing hacking tools developed by the US government which deserve to read and study for realising how they have been developing tools to get into our system for years.

Last Thursday, June 1st 2017, WikiLeaks published documents of another hacking tool from the Pandemic project of the CIA. This new project is able to compromise target machines in a local area network from Microsoft Windows File Servers. How this hacking tool works? A Windows File Server, which is sharing files with users, are going to replace the shared files on-the-fly with a trojaned version without changing the original stored file on the file server. Therefore, the file server infected with the “Pandemic” implant are going to modify/replace files from the server to target machine in transit over the LAN.

Pandemic Project: The same file is copied twice from the remote file share to the user's local disk. The file size Windows reports is vastly different, even if the user only gets the smaller replacement file

It's not only for enterprise networks and servers but the CIA, along with MI5 of the United Kingdom Intelligence Agency, is also developed tools to record audio from the built-in microphone of Samsung F Series Smart TV and send this audio to the CIA server by WiFi or store it into a memory stick. This tool, called Weeping Angel by CIA and Extending by MI5, was even going to record audio in a fake-off recording mode where the Smart TV seems to be off but actually was on because it keeps recording voices for surveillance purpose. I'm wondering if new version of this tool was able to record images from the webcam as well. Maybe yes.

Fake-off recording mode

How to control all of these malware? Where are the Command & Control servers? Maybe, this question is answered by the HIVE project of the CIA. This project was to design and configure a back-end infrastructure to hide the real communication between target machines and C&C servers, where the CIA has configured a complex infrastructure with commercial VPS (Virtual Private Servers), a custom cryptographic protocol, VPN and SSL sessions to hide the real communication between infected machines and CIA operators.

Hive Beacon Test Infrastrucgture
Developing malware is something difficult for most developers because they must have a deep knowledge about persistence mechanisms, encryption, exploits, etc. Therefore, the CIA has also developed the Grasshopper framework to build customized malware payloads for Microsoft Windows operating systems in an easy way. For example, they can build a simple malware, or a complex one, choosing components like building a malware for a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

Using Grasshopper
As we can see, there are lots of hacking tools and malware frameworks from United States Agencies, and UK as well, for cyberattacks, cyberwar, cyberwhatever … are we ready?