(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Schneider Electric Wonderware Intelligence Default Credentials Security Bypass Vulnerability
Flash Seats for iOS CVE-2017-3190 SSL Certificate Validation Security Bypass Vulnerability
Google Android Recovery Verifier CVE-2017-0475 Privilege Escalation Vulnerability
ACTi Cameras Models Multiple Security Vulnerabilities

Enlarge / The logo of the CIA's Engineering Development Group (EDG), the home of the spy agency's malware and espionage tool developers.

There are thousands of files in WikiLeaks' dump of data from the Central Intelligence Agency's Engineering Development Group (EDG). This organization within the CIA's Center for Cyber Intelligence is responsible for creating the tools used to hack into digital devices around the world in support of the CIA's mission. The leaked documents come from an Atlassian Confluence server used by the EDG's developers to track and document their projects.

Many of the documents in the dump are unclassified—manuals provided by Lockheed Martin and other vendors, for example. Most are classified at the Secret level, including things as innocuous as a guide to getting started with Microsoft Visual Studio, apparently the preferred development tool of the EDG's Applied Engineering Department (AED). There's also a smattering of meme construction components and animated GIFs of the anime series Trigun.

But a tiny fraction of the data is highly classified, according to document marks. This cache sits at the Top Secret level, and it's marked as "Special Intelligence" (SI) and "NOFORN" (no foreign distribution). Out of the first batch of just over 1,000 documents, there are two paragraphs marked at that level. And those pieces describe minutiae of how the CIA's Network Operations Division wants the cryptographic features of its tools to work and how the CIA obtains and prepares phones for use in its exploit lab.

Read 20 remaining paragraphs | Comments

Google Android Mediaserver Multiple Remote Code Execution Vulnerabilities
Netpbm CVE-2017-2579 Local Denial of Service Vulnerability
RE: CVE-2017-3241 - [ERPSCAN-17-006] Oracle OpenJDK - Java Serialization DoS
[security bulletin] HPESBHF03714 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Local Arbitrary File Download
Netpbm CVE-2017-2581 Local Integer Overflow Vulnerability
Netpbm CVE-2017-2580 Local Heap Buffer Overflow Vulnerability
Netpbm CVE-2017-2586 Null Pointer Dereference Local Denial of Service Vulnerability
Netpbm CVE-2017-2587 Local Denial of Service Vulnerability
[SECURITY] [DSA 3804-1] linux security update
[security bulletin] HPESBHF03713 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Deserialization of Untrusted Data, Remote Code Execution
[security bulletin] HPESBGN03712 rev.1 - HPE LoadRunner and Performance Center, Remote Code Execution
Mozilla Firefox and Thunderbird Multiple Security Vulnerabilities
Mozilla Firefox CVE-2017-5426 Security Bypass Vulnerability
Mozilla Firefox MFSA 2017-05 Multiple Security Vulnerabilities
Mozilla Firefox CVE-2017-5403 Denial of Service Vulnerability
SEC Consult SA-20170308-0 :: Multiple vulnerabilities in Navetti PricePoint
Mozilla Firefox and Thunderbird CVE-2017-5401 Memory Corruption Vulnerability
Mozilla Firefox and Thunderbird Multiple Use After Free Denial of Service Vulnerabilities
Mozilla Firefox and Thunderbird CVE-2017-5400 Multiple Memory-Corruption Vulnerabilities
Mozilla Firefox and Thunderbird CVE-2017-5398 Multiple Unspecified Memory-Corruption Vulnerabilities
[slackware-security] mozilla-firefox (SSA:2017-066-01)
Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in GoAhead
[security bulletin] HPESBHF03710 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Multiple Remote Vulnerabilities

Everyday we hear about new pieces of malware which implement new techniques to hide themselvesand defeat analysts. But they are still people whowrite simple code that just do the job. The samplethat Im reviewing todayhad a very short lifetime because it was quickly detected by most antivirus. Its purpose is to steal information from the infected computers like credentials. When the sample was submitted for the first time to VT, it reached a score of 11/59 which is not bad. Today, its score is 44/59[1].

Amongst actions like copying itself to C:\Users\%USER%\Temp\Skype\chrome.exe. Itchecks the victims computer location via hxxp://ip-score.com/checkip/ and collects information about the victim. Then padding:5px 10px"> C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn MOCLXG /tr C:\DOCUME~1\Xavier\LOCALS~1\Temp\Skype\chrome.exe /sc minute /mo 1

The way itsteals information from the victim in interesting in this case. People are often lazy so why reinvent the wheel? There already exists tools to collect credentials from applications like browsers, email clients,

The networktraffic generated by the malware is very interesting. The C2 is hosted behind a dynamic DNS host: popstub.ddns.net[2]. The malware does not use the HTTP protocol but a simple TCP session via port TCP %%port:1340%%. The first things it does is to send information about the victim and the C2 return a PE file:
width:803px" />
We can see the location (country), date, IP address, logged user, OS, architecture and the resolution. I presume that the No strings indicate the presence of an antivirus and a firewall (which are both disabled in my sandbox).

The PE file is dropped on the file system, executed and the padding:5px 10px"> C:\WINDOWS\system32\cmd.exe /c Pl2.exe -f Pl2.txt width:802px" />

And, another tool is downloaded and executed using the same scenario:
width:802px" />
And, the last one:
width:802px" />
Everything is executed within a unique TCP session. This is quite simple and efficient if you dont implement correct egress filtering.
[1] color:#0000ee">https://www.virustotal.com/en/file/11347119bbae52855b3a303c71c36f1ff30810c63359bde41a81a70e5d9ae86c/analysis/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status