CIA hacking tools

A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access.

As part of its Vault 7 leaks, WikiLeaks today revealed details about a new implant developed by the CIA, dubbed AngelFire, to target computers running Windows operating system.
AngelFire framework implants a persistent backdoor on the target Windows computers by modifying their partition boot sector.

AngelFire framework consists five following components:

1. Solartime — it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.
2. Wolfcreek — a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications
3. Keystone — a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.
4. BadMFS — a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.
5. Windows Transitory File system — a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation.
The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.