WikiLeaks' latest Vault7 release details a multi-module piece of malware designed to spy on Windows XP and Windows 7 machines.
Dubbed Angelfire, the malware is comprised of five components, including Solartime, Wolfcreek, Keystone, BadMFS, and the Windows Transitory File system.
According to the Angelfire user guide, Solartime modifies the partition boot sector to load the CIA’s kernel code which tweaks the Windows boot process so that CIA implant device drivers can load at the same time legitimate device drivers are loaded.
Wolfcreek is the kernel code that Solartime executes and is responsible for loading other Angelfire drivers and applications.
The Keystone component launches other Angelfire applications and is designed to leave minimal forensic evidence since Keystone implant code are loaded directly into memory and never touch the file system. The intent here was to ensure that processes created by Angelfire applications don’t look out of the ordinary.
“Currently all processes will be created as svchost. When viewed in task manager (or another process viewing tool) all properties of the process will be consistent with a real instance of svchost.exe including image path and parent process,” the user guide states.
However, WikiLeaks notes these processes can be viewed in Windows task manager if the OS is installed on another partition or in a different path.
BadMFS is a covert file system tacked on to the end of an active partition, which stores the drives and implants that Wolfcreek starts. The files are encrypted and obfuscated to avoid portable executable (PE) header scanners that malware researchers use to probe malicious binaries in Windows Portable Executable format.
Angelfire’s compatibility narrowed over time. The user manual dated 9 November 2011 for the first version of Angelfire says it is compatible with 32-bit Windows XP, Server 2003, Vista, Server 2008, Server 2008 R2, and Windows 7; and 64-bit Windows Vista, Server 2008, Server 2008 R2, Windows 7.
A user manual for Angelfire v2.0 says it is compatible with 32-bit Windows XP and Windows 7 with the latest service pack as well as 64-bit Windows Server 2008 R2, and Windows 7.
The manuals also note a number of known issues while another document titled “Wolfcreek Docs — Notes” includes a CIA wishlist for new features in BadMFS, including requests to “make it more institutive to use”, adding a compression option to files, and “nice to have” features like automatically adding the time and date a file was created or modified.
Angelfire is the fourth CIA tool WikiLeaks has released details about in August and the twenty-second project it revealed since announcing Vault 7 in March.