Information Security News
by Sean Gallagher
There are thousands of files in WikiLeaks' dump of data from the Central Intelligence Agency's Engineering Development Group (EDG). This organization within the CIA's Center for Cyber Intelligence is responsible for creating the tools used to hack into digital devices around the world in support of the CIA's mission. The leaked documents come from an Atlassian Confluence server used by the EDG's developers to track and document their projects.
Many of the documents in the dump are unclassified—manuals provided by Lockheed Martin and other vendors, for example. Most are classified at the Secret level, including things as innocuous as a guide to getting started with Microsoft Visual Studio, apparently the preferred development tool of the EDG's Applied Engineering Department (AED). There's also a smattering of meme construction components and animated GIFs of the anime series Trigun.
But a tiny fraction of the data is highly classified, according to document marks. This cache sits at the Top Secret level, and it's marked as "Special Intelligence" (SI) and "NOFORN" (no foreign distribution). Out of the first batch of just over 1,000 documents, there are two paragraphs marked at that level. And those pieces describe minutiae of how the CIA's Network Operations Division wants the cryptographic features of its tools to work and how the CIA obtains and prepares phones for use in its exploit lab.
Everyday we hear about new pieces of malware which implement new techniques to hide themselvesand defeat analysts. But they are still people whowrite simple code that just do the job. The samplethat Im reviewing todayhad a very short lifetime because it was quickly detected by most antivirus. Its purpose is to steal information from the infected computers like credentials. When the sample was submitted for the first time to VT, it reached a score of 11/59 which is not bad. Today, its score is 44/59.
Amongst actions like copying itself to C:\Users\%USER%\Temp\Skype\chrome.exe. Itchecks the victims computer location via hxxp://ip-score.com/checkip/ and collects information about the victim. Then padding:5px 10px"> C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn MOCLXG /tr C:\DOCUME~1\Xavier\LOCALS~1\Temp\Skype\chrome.exe /sc minute /mo 1
The way itsteals information from the victim in interesting in this case. People are often lazy so why reinvent the wheel? There already exists tools to collect credentials from applications like browsers, email clients,
The PE file is dropped on the file system, executed and the padding:5px 10px"> C:\WINDOWS\system32\cmd.exe /c Pl2.exe -f Pl2.txt width:802px" />