After WannaCry: Other 2 Windows malware by CIA AfterMidnight & Assassin

While the whole world tries to deal with the threat of the devastating WannaCry ransomware, WikiLeaks has released a new batch of CIA leaks on Vault 7. This time it describes two more CIA malware for the platform of .

Are called AfterMidnight and Assassin. Both malicious are designed for and reporting actions from the victim's computer to a remote CIA apparently controlled by the CIA.WannaCry

Since March, to WikiLeaks has published hundreds of thousands of documents and secret hacking tools that claim to come from the US Central Intelligence Agency (CIA).

This latest batch is the 8 version of the Vault 7 series.

AfterMidnight

According to WikiLeaks, AfterMidnight allows its operators to dynamically load and execute malicious payload on the target system.

The master controller of the malicious payload is a disguised DLL (Dynamic Link Library) file and executes "Gremlins" (small payloads hidden in the target machine), undermining the functionality of the targeted software, or providing services to others. Gremlins.

After AfterMidnight is installed an HTTPS-based Listening Post (LP) system called Octopus to check for any scheduled events. If one is found, the malware downloads and stores all necessary data before loading all new gremlins into memory.

According to the user guide provided in the last leak of WikiLeaks, the local storage made by AfterMidnight is encrypted with a key that is not stored on the target machine.

A special payload, called AlphaGremlin, contains a custom script, which allows operators to schedule custom tasks to run on the target system.

Assassin

Assassin is similar to AfterMidnight and is described as "an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system."

Once installed on the victim's computer, this tool places malicious “implants” inside a Windows services, allowing operators to perform malicious tasks on an infected machine, just like with AfterMidnight.

Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.

The 'Implant' provides the basic logic and functionality of this tool to the victim's machine, and is “interested in communications and any task execution. It is configured using the 'Builder' and deployed on the target computer via a specific carrier.

The Builder sets up 'implants' and 'Deployment Executables' before deployment and "provides a custom command-line interface for setting up the implant configuration before building it," says tool guide.

The “Command and Control” subsystem acts as an interface between the operator and the Listening Post (LP), while the LP allows the Implant Assassin to communicate with the command subsystem and (Command and Control) through a server on the Web.

Please be reminded that last week WikiLeaks released a tool for man-in-the-middle (MitM) attacks, called Archimedes, allegedly created by the CIA to target computers within a local area network (LAN).

_____________________________________

This practice by US intelligence services that knows the weaknesses and does not disclose it to development companies is also the cause of its spread WannaCry ransomware. The SMB flaw discovered by the NSA has never been revealed where it should be until the leaked Shadow Brokers one month ago.

Here we should mention that Microsoft, through Brad Smith, condemned the practice of the American company of intelligence, saying the "broad damage" caused by WannaCry happened because of the NSA, CIA and other intelligence agencies.

Since March, WikiLeaks has made 8 publications in the "Vault 7" series, which include large leaks:

"Year Zero"The CIA is using popular hardware and software.
"Weeping Angel"The spying tool that the service uses to penetrate smart TVs, turning them into disguised microphones.
"Dark Matter"Exploits targeting iPhones and Mac.
"Marble"The source code of a secret anti-forensic framework. It's essentially a obfuscator that the CIA uses to hide the real source of malware.
"GrasshopperA framework that allows the intelligence service to easily create custom malware to infringe on Microsoft Windows and bypass any from viruses.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).