ANGELFIRE | New Vault 7 Reveals Malware Framework Developed To Infect Windows Operating Systems
WikiLeaks has just published another top secret CIA project, codenamed Angelfire. Angelfire is a group of hacking tools developed for both 32 and 64 bit versions of Microsoft Windows XP and Windows 7 operating systems, and also Windows 7 2008 R2 servers. It consists of 5 different tools that work together to compromise an operating system by targeting the boot sector which allows the user to deploy further payloads to an undetectable library. The Angelfire implant is made up of 5 components:
- Solartime
- Wolfcreek
- Keystone
- BadMFS
- Windows Transitory File system
Angelfire
Angelfire comes with two installer versions, an executable and a fire-and-collect .dll installer, and are the user's single mechanism for working with the Angelfire implant. The installer is also used to uninstall Angelfire, as well as allowing the user to access the BadMFS covert file system.
To install Angelfire, the user must create and finalize an “inst” transitory (temporary) file that includes the BadMFS path on target (-bp), the wolfcreek driver (-wd), the solartime container path that will be created on target (-cp), and the solartime pack file (-st). The container path (-cp) must not contain a drive letter, and it must be placed under \Windows folder.
Angelfire uses the BadMFS covert file system to store many of the implants and data required to run, and requires administrative privileges to use either installation mechanism. One of the 2 installer options requires manipulation of the signing certificate from the Certificate Authority which is only supposed to be approved by Microsoft before it can be installed onto the intended targets system. This is done internally by the CIA's Embedded Devices Branch (EDG) division which is responsible for the development, testing and operational support of all implants, backdoors, exploits, payloads, trojans, viruses and any other kind of malware used by the CIA in its covert cyber operations.
BadMFS
BadMFS is a covert file system that is either created at the end of an active partition (slack space), or will attempt to install itself in non-partitioned space. AngelFire uses BadMFS to store, obfuscates and encrypts all drivers, implants, and associated files used by Wolfcreek.
Angelfire uses the BadMFS covert file system to store many of the implants and data required to run. BadMFS has two options for installation, one using a specified file and the other using slack space at the end of a hard drive. Which option is used depends on what is specified under the –bp flag. To use the specified file option, an operator must give a complete path to a file that will hold the covert store on disk. To use the slack space option, the operator must specify “PhysicalDrive”.
BadMFS provides an interface for a developer to interact with the covert file system, similar to typical Windows API functionality. BadMFS was developed as a library to support multi-process and multi-threaded environments. BadMFS was developed so that it can run as a kernel library to a device driver or other kernel threads. Once BadMFS is installed using the Angelfire installer, the location of BadMFS needs to be provided to any transitory (temporary) file created.
BadMFS is described as a library which stores all drivers and implants that Wolfcreek can activate. In some versions it can be detected, but in most versions it’s encrypted and obfuscated, making it undetectable to string or PE header scanning, used in detecting malware.
Windows Transitory File System
Windows Transitory File System is an updated component that's used as an alternative to the above BadMFS. Instead of storing files in a covert file system, the component uses transitory (temporary) files as the storage system.
WTFS is the new method of installing AngelFire. Rather than writing independent components to disk, the system allows the user to create transitory files for specific actions like installation, or adding or removing files to and from Angelfire. These temporary files are added to the UserInstallApp (both the .exe or .dll versions).
Solartime
Solartime modifies the partition boot sector to load the relevant kernel code. The kernel then modifies the Windows boot process so that when Windows loads boot time device drivers Wolfcreek can also be covertly loaded. The implant driver and Solartime boot code are kept in a small user-specified encrypted file on the target disk.
Wolfcreek
Wolfcreek is the kernel code that Solartime executes. Wolfcreek is a self-loading driver, that once executed, loads the other drivers and user-mode applications the Angelfire needs to operate successfully.
Keystone
KeyStone is responsible for starting other user applications. Any application started by MW (Microsoft Windows) is done without the implant ever being written to the file system. Implant processes are created as svchost and are loaded directly into memory. When viewed in task manager all properties of the process are consistent with a real instance of svchost.exe including image path and parent process. Furthermore, since the implant code never touches the file system (aside from the possibility of paging) there is very little forensic evidence that the process was ever ran.
https://wikileaks.org/vault7/#Angelfire
Despite the many complex components that make up Angelfire the documentation gives several examples of issues and bugs this group of tools have which would lead them to be discovered fairly easily. The Keystone implant, which hides itself as svchost.exe, can only be installed in C:\Windows\system32. If the target OS was installed on a different partition or drive, the implant would either not work or be exposed by antivirus scans.
Additionally, one of the BadMFS versions creates a file called zf on the target system which a user could potentially discover. The CIA document also warns that any potential crash of any of the above implants would trigger a visible notification. These CIA documents are dated 2011 a year before the release of Windows 8. This wold indicate the CIA would have ironed out a lot of these issues and Angelfire would now be much more advanced.
[Fire Angel header image by Franciscogcj]
You know, I've been reading these about these Vault 7 releases over the last few months and most the time I don't even comment because I feel something like a cross between astonishment, and horror. Astonishment and horror, that these programs and systems actually exist - and it just leaves me speechless.
I just don't want to live in this kind of world.
I know exactly what you mean. I've read every single one of the Vault 7 documents cover to cover and each one has has me in amazement/shock. There are quite a few tools out there that will allow you to protect yourself against these kind of things.
I think the worst is still to come. These documents have shown us how the CIA spy on people but they have yet to reveal who they have been used on. I think this will be the greatest shock.
thanks for reading.
@fortified
Nothing that the 'security state' scumbags do surprises me anymore. The age of the documents suggests they are now even more technically advanced that we could know. F*ck em I say!
Great post dude, thanks for the info.
I think the greatest shock will be who these CIA tools have actually been used on.
Thanks for your support.
@fortified
thanks for the update..a little bit to technical for me but i got through it
Thanks. Yes it is quite technical but I read through it all and tried to lay it out in the simplest way possible.
Thanks again
@fortified
Congratulations @fortified! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPThanks for the in depth post. I guess I should look into a new operating system.