AngelFire – CIA Malware Infects System Boot Sector

AngelFire CIA Vault 7 Leak

Wikileaks has published documents for yet another Vault 7 tool dubbed AngelFire which was utilized by the CIA, Central Intelligence Agency, to gain persistent remote access to the Windows operating system. The framework installs a persistent backdoor on the target system by modifying the partition boot sector.

The AngelFire framework consists of five separate tools:

1. Solartime – Modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant.
2. Wolfcreek – Is a self-loading and once executed can load and run other user-mode applications.
3. Keystone – Is used to launch malicious implants which never touch the file system. Documentation reports that loading of additional implants creates memory leaks that can be detected on infected machines. Loaded implants never touch the file system and is very little forensic evidence of the process. It will masquerade as the “c:\Windows\system32\svchost.exe” and can be dected in the Windows task manager if the operating system is installed on another partition or in a different path.
4. BadMFS – Is a library used to implant covert file systems that are created at the end of an active partition or in a file on the disk. It’s used to store all drivers and implants used in the attack.
5. Windows Transitory File System – Is the new method used by the CIA to install AngelFire. The system allows an agent to create transitory files for installation, adding files to AngelFire, removing file from AngelFire, and so on. According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation. The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.

Previous Valut 7 CIA Leaks

Over 22 dumps from Vault 7 have been released since March:

• CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.
• Dumbo — A CIA project that disclosed its ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
• Imperial — A CIA project that revealed details of 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux OS.
• UCL/Raytheon — An alleged CIA contractor that analysed in-the-wild advanced malware and submitted at least five reports to the agency for help it develops its malware.
• Highrise — An alleged CIA project that allowed the US agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.
• BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the spy agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.
• OutlawCountry — An alleged CIA project that allowed the agency to hack and remotely spy on computers running Linux operating systems.
• ELSA — Alleged CIA malware that tracks geo-location of targeted laptops and computers running the Microsoft Windows OS.
• Brutal Kangaroo — A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
• Cherry Blossom — A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
• Pandemic — A CIA’s project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
• Athena — A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
• AfterMidnight and Assassin — 2 alleged CIA malware frameworks for the Microsoft Windows platform that’s meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
• Archimedes — Man-in-the-middle (MitM) attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
• Scribbles — Software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the CIA agents to track insiders and whistleblowers.
• Grasshopper — A framework which allowed the spying agency to easily create custom malware for breaking into Microsoft’s Windows OS and bypassing antivirus protection.
• Marble — Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
• Dark Matter — Hacking exploits the spying agency designed to target iPhones and Macs.
• Weeping Angel — Spying tool used by the CIA agents to infiltrate smart TV’s, transforming them into covert microphones.
• Year Zero — CIA hacking exploits for popular hardware and software.