WikiLeaks had published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network.
“Pandemic,” as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks. When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed. The documents didn’t describe precisely how Pandemic would get installed on a file server.
In a note accompanying Thursday’s release, WikiLeaks officials wrote:
“On, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. “Pandemic” targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).
As the name suggests, a single computer on a local network with shared drives that is infected with the “Pandemic” implant will act like a “Patient Zero” in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.“
CIA officials have never confirmed or refuted the authenticity of the documents released in the “Vault 7” series, which WikiLeaks claims includes confidential documents it obtained when the CIA “lost control of the majority of its hacking arsenal.” Outside experts on malware, however, have said the documents appear to be legitimate. Security company Symantec has also definitively tied malware described in one Vault 7 release to a known hacking operation that has been penetrating governments and private industries around the world for years.
‘Pandemic’ Turns File Servers into ‘Patient Zero’
Once compromised, the infected Windows file server acts as a “Patient Zero” – the first identified carrier of any communicable disease during an outbreak – which is then used to deliver infections on machines inside the network.
Now, whenever any targeted computer attempts to access a file on the compromised server, Pandemic intercepts the SMB request and secretly delivers a malicious version of the requested file, which is then executed by the targeted computer.
According to the user manual, Pandemic takes only 15 seconds to be installed on a target machine and can replace up to 20 legitimate files (both 32-bit and 64-bit files) at a time with a maximum file size of 800MB.
Since the tool has been specifically designed to infect corporate file sharing servers and turns them into a secret carrier for delivering malware to other persons on the target network, it has been named Pandemic.
Since March, the whistleblowing group has published 10 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
- Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
- Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
- Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – dumped CIA hacking exploits for popular hardware and software.
Last week, WikiLeaks dumped a CIA’s spyware framework, dubbed Athena – which “provides remote beacon and loader capabilities on target computers” – that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.Like previous Vault 7 releases, but this leak is a critical blow to US intelligence interests. But it’s nowhere near as grave as the Shadow Brokers leaks.