Symantec & Wikileaks ID CIA Malware



Security researchers at Symantec have discovered a link between known attacks on computers and the Wikileaks CIA Vault 7 dumps. The well-known anti-virus group discovered that the Vault 7 exploits, operating as "Longhorn", have been used in hacks of at least 40 targets.

The Longhorn exploit and attack software has been operational since 2011 and used back door Trojan programs in addition to zero-day attacks to hack its targets. Longhorn was primarily targeted against governments, and entities in the international financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. Longhorn was discovered inside 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa.

In fact, one Longhorn attack was against a computer in the US. However, according to Symantec, the US attack may have been an accident.

"Following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally," notes the Symantec report.

Symantec made the discovery of the tools via Vault7 by examining the logs of change dates for a piece of CIA malware called Fluxwire. The change dates matched the generations of a Longhorn tool called Trojan.Corentry which was tracked by Symantec. The new features for Corentry appeared in samples from Symantec matched closely with the same date listed in the Vault 7 documents.

In addition, the software used to generate the Corentry malware matched out with the CIA change logs. The CIA used a common software compiler package called "gcc" to construct its early versions of the Fluxwire exploit. CIA developers changed that software generator to "MVCS" in early 2015. Symantec again examined samples of the malware caught in the wild and discovered that internal code indicators showed the Corentry Trojan had also changed to MVCS software in early 2015 at exactly the same time.

In addition, a second exploit tool used by the CIA called Archangel in the Vault7 documents matched out with another Longhorn virus that Symantec detected called Backdoor.Plexor.

Another CIA Vault7 document noted that the cryptographic protocols that malware tools should follow included the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks. Basically, this design is used to create two sets of keys, one for the data being transmitted and one for the actual transmission. Without the two key design, a 3rd party can obtain the transmission key, substitute their own key in its place and observe all the data as it is being passed back and forth from a target to the CIA operations post.

"Other Vault 7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol (RTP) as a means of command and control (C&C) communications, employing wipe-on-use as standard practice, in-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of secure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all of these practices. While other malware families are known to use some of these practices, the fact that so many of them are followed by Longhorn makes it noteworthy," noted the Symantec report.

Longhorn appears to be specifically built for espionage-type surveillance. While, some of its most detailed design features include system fingerprinting, discovery, and removal of data, Longhorn also employs a tight operational security. Longhorn communicates at specific times, with strict limits on stolen data to be transmitted, and randomizes link-up times in order to remain hidden.

However, Longhorn can be used in an offensive (change data or program operations) mode. The CIA malware has a large number of commands for remote control of the infected computer and can also be customized with additional plugins or other software.

According to Symantec, they were able to determine early on that Longhorn was most likely a US intelligence agency. The targets were outside the US, and a typical tell-tale clue of bureaucratic government work. Longhorn controllers appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates. While most independent hackers work a wild variety of hours and days, only a classic bureaucrat would work Monday through Friday.

There were other clues as well. The Longhorn group had to preconfigure the attack software with target-specific code words and distinct domains and IP addresses for communications back to the attackers. Symantec noted that Longhorn tools had embedded capitalized code words to identify the attack.

"One example was a nod to the band The Police, with the code words REDLIGHT and ROXANNE used," noted Symantec. "Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America."

The Symantec report is yet another example of how some things put together by the CIA may come back to bite us. It is clear that the source code so-far not released by Wikileaks contains extensive malware and attacks that could easily be turned against its creators like some Frankenstein monster. It is unclear if the source code to the CIA weaponry such as Longhorn has already been copied, duplicated or modified by other actors in the cyber-warfare stage.

However, you can bet your boots partner that if Julian Assange has a Longhorn herd.. So do other cowboys and indians. It's only a matter of time before it will stampede down Main Street USA.



if you want to see inner cryptographic design - RAVEN has got it


Contact Us: