According to WikiLeaks’ Year Zero release, the CIA can hide its own fingerprints from its hacking exploits and attribute blame to other countries such as Russia and China.
Blackbird Technologies was a cyber security and surveillance company that supplied equipment for covert “tagging, tracking and locating” and counted US Special Operations Command as one of its biggest customers.
The documents included are assessments of malware, partly based on public documents from security researchers and private companies. Blackbird recommended whether the CIA should use the malware to develop its own projects.
NfLog – Remote Access Tool by Samurai Panda
A September 2015 report on a new variant of the NfLog Remote Access Tool (RAT) – a tool which allows an intruder administrative control over a target – IsSpace used by SAMURAI PANDA, details how the malware credited to the Chinese hacking group Samurai Panda targets C2 servers to sniff user credentials.
On systems with a Windows Firewall “it will attempt to enumerate the basic authorization username and password used for most proxy authentications using HTTP.”
If NfLog sees a user has administrative privileges, it will attempt to give itself increased permissions.
HTTPBrowser by Emissary Panda
Another September 2015 document details a new variant of the HTTPBrowser Remote Access Tool used by Emissary Panda, thought to be another Chinese hacking group.
The RAT is deployed through an “unknown initial attack vector,” the document reads. It contains a self-extracting zip file which includes three files used to deploy the malware.
It captures keystrokes and writes them to a file. The document describes the RAT’s use of clear text as an indication of its“low level of sophistication” and says there are no new techniques worthy of a PoC.
Regin – Stealthy Surveillance
Reign is described as being a “very sophisticated malware sample” which has been observed in operation since 2013, but the September 2015 document adds it may have been in use since 2008. The complex malware has been linked to GCHQ and NSA.
The “target surveillance and data collection” malware has six stages of implementation.
The report’s author appears impressed by Reign, which it commends for its “striking” modular architecture and “flexibility”and impressive stealthiness.
The report notes that it doesn’t contain details on how aspects of Reign are implemented. “We assume bad actors have valid certs [for driver signing] but it’s not clear from the report,” it says.
Reign was discovered by Symantec, which described it as a trojan data collection tool that can take “screenshots and [take] control of the mouse’s point-and-click functions, steal passwords, monitor network traffic,” and scan for deleted files.
Symantec found it was likely created by a nation state.
HammerToss – Stealthy Tactics by Russians
A September 2015 report details HammerToss, a “suspected Russian State-sponsored malware” which leverages Twitter accounts, GitHub and cloud storage to “orchestrate command and control functions.”
HammerToss uses an algorithm to create Twitter accounts each day. When an attacker creates the account, the hacker posts a URL and hashtag, which sends the malware to a Github image that’s downloaded and contains commands.
Gamker is described as an information stealing Trojan which steals information using simple decryption and injects itself into a different process.
Trojan malware is often disguised as regular software. Its self-code injection ensures nothing is written to disk. The report doesn’t say who is suspected of creating Gamker.