WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight

Credit to Author: Darlene Storm| Date: Mon, 15 May 2017 11:25:00 -0700

The latest WikiLeaks release of CIA malware documentation was overshadowed by the WannaCry ransomware attack sweeping across the world on Friday.

WikiLeaks maintains that “Assassin” and “AfterMidnight” are two CIA “remote control and subversion malware systems” which target Windows. Both were created to spy on targets, send collected data back to the CIA and perform tasks specified by the CIA. Both are persistent and can be scheduled to autonomously uninstall on a specific date and time.

The leaked documents pertaining to the CIA malware frameworks included 2014 user’s guides for AfterMidnight, AlphaGremlin – an addon to AfterMidnight – and Assassin. When reading those, you learn about Gremlins, Octopus, The Gibson and other CIA-created systems and payloads.

AfterMidnight

WikiLeaks described AfterMidnight as allowing “operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of ‘Gremlins’ via a HTTPS based Listening Post (LP) system called ‘Octopus’.”

When describing AfterMidnight’s footprint, the CIA’s guide says that after the first reboot, the non-networking component runs as a DLL inside a process running as System. “The service is only loaded long enough to load Midnight Core before it stops. In this way there is nothing, no running service entry or loaded DLL, to show that AM is actually running.”

The “Gremlins” – small hidden payloads for the AfterMidnight implant – can be securely deleted by overwriting files in memory with zeros as in the spooks came, conquered and poofed without the target ever knowing he or she was a target.

The 68-page user’s guide for AfterMidnight explains how it works and should be deployed, its capabilities and even hints at what the author considers to be funny. At one point the following example was given:

This example will simulate an operation with two target computers. The goal will be to prevent one target from using their web browser (so that he can get more work done) and we’ll annoy the other target whenever they use PowerPoint (because, face it, they deserve it for using PP).

Under the heading of Advanced, 7.1.1 am.state, AfterMidnight users were warned with a note: “You can destroy everything in the universe by following these directions. User discretion is advised.”

That is followed up in the next section by kick back and relax as “AfterMidnight will take care of the rest.”

How old is AfterMidnight user’s guide?

The change log has three entries: May 2013, April 2014 and August 2014. DLLs will be in any versions of Windows, but for a timeline comparison, 2013 as when Microsoft released Windows 8.1 and RT 8.1. Windows 10 wasn’t released until July 2015.

AlphaGremlin

The special payload AlphaGremlin, which has 7 pages of documentation dated June 2014, is to be used in addition to the AfterMidnight tool suite for running extra customized tasks on the target’s Windows PC. Accompanying screenshots included in the AlphaGremlin v0.1.0 user’s guide appear to show Windows 7.

Assassin

In the 204-page Assassin v1.4 user’s guide, the CIA described Assassin as “an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. Assassin will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment.”

Like AfterMidnight, the Assassin malware framework allows the CIA to spy on and collect information from a target as well execute tasks. It can capture and return the user’s data and be securely wiped.

The Assassin implant, which can be configured to hibernate on a target’s system before going active, has four subsystems: Implant, Builder, Command and Control (C2) and Listening Post (LP). The Listening Post subsystem, which contains a beacon server, queue and log collector, enables the Assassin implant to communicate with the C2 via a web server. The CIA added, “The Assassin C2 and LP subsystems are referred to collectively as The Gibson.”

The “Grasshopper” user guide for installing payloads was not included in this leak, but referenced in the guide for Assassin as an installation utility to provide “soft persistence on Microsoft Windows targets.”  

Sadly I didn’t fully grasp this portion, but when describing the Implant Pernicious ICE DLL, the CIA noted that the implant “meets the NSA Pernicious Ice specification.” The guide goes on to talk about FAF (Fire and Forget).

Under troubleshooting issues as well as upload queue, the CIA noted, “The Assassin implant will not store more than 16,384 files in the staging directory to prevent overflowing the limitations of the file system.” It also covered what to if a CIA operator wanted to run multiple Assassin implants on a target at the same time.

How old is the Assassin implant user’s guide? 

The first entry on the changelog was in January 2012 and the last, updated for the Assassin 1.4 release, was dated June 2014.

The 21-page Assassin Training documentation, which ironically appears to be a PowerPoint presentation, has one section titled “Assassin Tasking for Fun and Profit.”

Microsoft blasted NSA and CIA for stockpiling vulnerabilities

While Microsoft’s President and Chief Legal Officer, Brad Smith, was talking about the WannaCry ransomware attack and not referring to the latest documentation of CIA malware implants, he blasted the CIA as well as the NSA in a blistering critique of why the government should not stockpile vulnerabilities and digital weapons.  

The WannaCry attack, Smith wrote, “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.” He added, “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Edward Snowden, who incidentally urged the US government to drop its investigation into Julian Assange and WikiLeaks, claimed that Microsoft confirming a NSA-developed exploit was used in the WannaCry attack was “extraordinary.”

Until this weekend’s attack, Microsoft declined to officially confirm this, as US Gov refused to confirm or deny this was their exploit. https://t.co/i52jeJyD0l

http://www.computerworld.com/category/security/index.rss