Vault 7's Grasshopper components table
I decided to build this table to more accessibly describe the many tools available in Grasshopper. When listed separately it can seem like a lot, but in reality almost of these tools have only slight variations as they are meant to work in tandem with one another. Perhaps the most unique and notable among these would be Stolen Goods v2.1, which is obviously the most refined and sophisticated in addition to its history of being stolen from Russia.
Above is my own creative spin on the Grashopper framework logo in light of recent developments.
Mobile readers may prefer the Reddit version of the table.
Component Name | Version | Persistence method/exploit | Payload types | Privilege level | Footprints |
---|---|---|---|---|---|
Bermuda | 1.0 | Windows Task Scheduler | EXE, DLL, GH1 | SYSTEM | Payload executable, payload directory, Task Manager process and task in Task Scheduler and hidden task file |
Buffalo and Bamboo | 1.0 | netsvcs service host | EXE, DLL, GH1 | SYSTEM | Payload executable, payload directory, Microsoft Management Console service, a new registry key and modifies a registry key |
Crab | 1.0 | modifies Windows Service registry | EXE, DLL, GH1 | SYSTEM | Payload executable, payload directory, Microsoft Management Console service, a new registry key and modifies a registry key |
NetMan | 1.0 | Windows Network Connections Manager Service | EXE, DLL, GH1 | SYSTEM | Payload executable, payload directory, Task Manager process and new registry key |
ScheduledTask | 1.1 | Windows Task Scheduler 1.0 COM interface | EXE, DLL, GH1 | SYSTEM | Payload executable, payload directory, Task stub executable, Task stub directory, and Scheduled Task XML |
Scrub | 1.0 | Windows registry | EXE, DLL, GH1 | USER | Payload executable, payload directory, Task Manager process and new registry key |
ServiceDLL | 1.3 | Windows Services | EXE, DLL, GH1 | SYSTEM | Service stub executable, Service stub directory, Payload executable, payload directory, Unhijack executable, Unhijack directory and creates and modifies multiple registry keys |
ServiceProxy | 1.1 | Existing Windows Service DLL files | EXE, DLL, GH1 | SYSTEM | Service stub executable, Service stub directory, payload executable, payload directory, creates a registry key and modifies multiple registry keys |
Stolen Goods | 2.1 | Windows boot sequence and Windows Drivers | DLL and Windows Driver (.sys) | SYSTEM | One, encrypted file on the target's partitioned disk space as well as registry keys if it is using a driver payload |
Wheat | 1.0 | Windows Drivers | Windows Driver (.sys) | SYSTEM | Payload executable, payload directory and creates a registry key |
WUPS | 1.0 | Windows Update Service | DLL and EXE | SYSTEM | Payload executable, payload directory, Task manager process, creates a registry key and creates a non-critical error log entry in the Windows Update log |
There's never been a better time to learn linux, folks!
That or get familiar with Tails. While nothing is entirely perfect, these systems have a lot more security advantages than your standard Windows or Mac OSX distro.
Tails is linux
True, didn't realize it was a Debian distro. Thought it was something more like Risc. You pretty much can't beat the mighty penguin.