AfterMidnight and Assassin CIA Malware WikiLeaks Vault 7

AfterMidnight and Assassin CIA Malware

WikiLeaks Vault 7

AfterMidnight and Assassin CIA Malware WikiLeaks Vault 7. By The Hacker News.

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform.

Dubbed “AfterMidnight” and “Assassin,” both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA.

AfterMidnight Malware

AfterMidnight Malware

AfterMidnight and Assassin CIA Malware

AfterMidnight and Assassin CIA Malware

WikiLeaks Tweet

Since March, WikiLeaks has published hundreds of thousands of documents and secret hacking tools that the group claims came from the US Central Intelligence Agency (CIA).

This latest batch is the 8th release in the whistleblowing organization’s ‘Vault 7’ series.

Grasshopper Malware

Grasshopper Malware

AfterMidnight and Assassin CIA Malware

AfterMidnight Malware Framework

According to a statement from WikiLeaks, ‘AfterMidnight’ allows its operators to dynamically load and execute malicious payload on a target system.

The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes “Gremlins” – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins.

Dark Matter Malware

Dark Matter Malware

AfterMidnight and Assassin CIA Malware

Weeping Angel Malware

Weeping Angel Malware

AfterMidnight and Assassin CIA Malware

Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called “Octopus” to check for any scheduled events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory.

According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine.

A special payload, called “AlphaGremlin,” contains a custom script language which even allows operators to schedule custom tasks to be executed on the targeted system.

Assassin Malware Framework

Assassin is also similar to AfterMidnight and described as “an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”

Once installed on the target computer, this tool runs the implant within a Windows service process, allowing the operators to perform malicious tasks on an infected machine, just like AfterMidnight.

Scribble Malware

Scribble Malware

AfterMidnight and Assassin CIA Malware

Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.

  • The ‘Implant‘ provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution. It is configured using the ‘Builder’ and deployed to a target computer via some undefined vector.
  • The ‘Builder‘ configures Implant and ‘Deployment Executables’ before deployment and “provides a custom command line interface for setting the Implant configuration before generating the Implant,” reads the tool’s user guide.
  • The ‘Command and Control‘ subsystem acts as an interface between the operator and the Listening Post (LP), while the LP allows the Assassin Implant to communicate with the command and control subsystem through a web server.
Marble Malware

Marble Malware

AfterMidnight and Assassin CIA Malware

Last week, WikiLeaks dumped a man-in-the-middle (MitM) attack tool, called Archimedes, allegedly created by the CIA to target computers inside a Local Area Network (LAN).

This practice by the US intelligence agencies of holding vulnerabilities, rather than disclosing them to the affected vendors, wreaked havoc across the world in past 3 days, when the WannaCry ransomware hit computers in 150 countries by using an SMB flaw that the NSA discovered and held, but “The Shadow Brokers” subsequently leaked it over a month ago.

Microsoft Slams NSA For Its Role in ‘WannaCry’ Attack

Even Microsoft President Brad Smith condemned the US intelligence agency’s practice, saying that the “widespread damage” caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-day security vulnerabilities.

This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Smith said.

Wikileaks Vault 7

Wikileaks Vault 7

AfterMidnight and Assassin CIA Malware

Year Zero Malware

Year Zero Malware

AfterMidnight and Assassin CIA Malware

Since March, the whistleblowing group has published 8 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:

  • Year Zero – dumped CIA hacking exploits for popular hardware and software.
  • Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
  • Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
  • Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
  • Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
  • Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.

CIA Archimedes

Vault 7

After Vault 7

Pentagon Insider

Clicks on the Ads Keep Us Alive 🙂

Pills Disclosure News Italia

Today

There are only two days in the year that nothing can be done. One is called Yesterday and the other is called Tomorrow. Today is the right day to Love, Believe, Do and mostly Live.

Dalai Lama

  • 2020 Server Cost Support - 3200 € 85% 85%

Web Hosting

Support Disclosure News Italia

We are working hard, and every day, to keep this blog. Like you we are fighting for the truth. If you want to work with us you are welcome, please email us! The blog costs are at our expense, advertising reimburse us very marginally so if you like our work and find it useful buy usacoffee clicking the donation button below that will directu to your PayPal. We need the help of people like you!

 





Bitcoin & Cryptocurrencies Donation

1M9dohWnHBwNLSPd6afRaJackrw6wK9bxY

Support us with a Donation

Bitcoin & Cryptocurrencies Donation

1M9dohWnHBwNLSPd6afRaJackrw6wK9bxY

Donate with Patreon

 

Follow Us

Planetary K Index

Space Weather

Adsense

Categories

Archives

Pin It on Pinterest