WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Codenamed Pandemic, the tool is a persistent implant for Microsoft Windows machines that share files with remote users on a local network.
The documents leaked by the whistleblower organisation date from April 2014 to January 2015.
“Pandemic is a tool which is run as kernel shellcode to install a file system filter driver,” a leaked CIA manual reads. “The filter will ‘replace’ a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write).”
‘Pandemic’ Turns File Servers into ‘Patient Zero’
Once compromised, the infected Windows file server acts as a “Patient Zero” – the first identified carrier of any communicable disease during an outbreak – which is then used to deliver infections on machines inside the network.
Now, whenever any targeted computer attempts to access a file on the compromised server, Pandemic intercepts the SMB request and secretly delivers a malicious version of the requested file, which is then executed by the targeted computer.
According to the user manual, Pandemic takes only 15 seconds to be installed on a target machine and can replace up to 20 legitimate files (both 32-bit and 64-bit files) at a time with a maximum file size of 800MB.
Since the tool has been specifically designed to infect corporate file sharing servers and turns them into a secret carrier for delivering malware to other persons on the target network, it has been named Pandemic.
“When you examine the #pandemic @wikileaks dump, ask yourself: Where are the rest of the docs? Compared this dump to any of the others you’ll see that there is far less data than we got with GRASSHOPPER, etc. Do they not have the other files? Seems unlikely,” Williams said.
Last week, WikiLeaks dumped a CIA’s spyware framework, dubbed Athena – which “provides remote beacon and loader capabilities on target computers” – that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
The spyware has been designed to take full control over the infected Windows PCs remotely, allowing the CIA to perform all sorts of things on the target system, including deleting data or uploading malicious software and stealing data.
Since March, the whistleblowing group has published 10 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
- Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
- Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
- Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – dumped CIA hacking exploits for popular hardware and software.