Home > Cyber News > CIA Spies on Mac OS X and Linux via Achilles, SeaPea and Aeris Tools

CIA Spies on Mac OS X and Linux via Achilles, SeaPea and Aeris Tools

CIA Spying on Users image

Wikileaks revealed 3 more spyware documents originating from the CIA Vault 7 leaks. The release is part of a project called “Imperial” that includes three advanced hacking tool used to spy on users worldwide. They are called Achilles, SeaPea and Aeris used to infiltrate Mac OS X and Linux systems.

Related Story: CIA HighRise Android Malware – An Effective Spying Tool

CIA Vault 7 Leak Reveals Achilles – Mac OS X Trojan


The CIA operators utilize the Achilles hacking tool to modify legitimate MAC OS X installers. The released documentation shows that the first major version was made in 2011. However actual testing of the software have been done in 2009 with version Mac OS X 10.6 with an earlier build. It consists of a collection of shell scripts executed using the BASH command shell. They give the CIA the ability to modify important variables that lead to one-time arbitrary command execution.

The modified install files are made to look like the original source files. When the victims execute them on their system a notification prompt which asks them to drag the software to the Application directory. After the program is executed for the first time all of the legitimate executable files in order not to raise any suspicion. The malicious code is executed in parallel and the Achilles code is removed after the program has finished. This is done to remove all traces of the malicious injection.

SeaPea Mac OS X Rootkit Developed by CIA Vault 7

SeaPea Mac OS X Rootkit

SeaPea is a specialist Mac OS X rootkit made by the CIA operatives as described in the Vault 7 leak. It is able to both hide itself from detection and launch dangerous commands on the infected machines. It is compatible with Mac OS X versions 10.6 and 10.7 in both their 32 and 64-bit releases. Using the SeaPea spyware the users can conceal the dangerous file and also launch various commands.

To be effectively the CIA operatives need to use a two-stage infection approach:

  1. SeaPea Building — This is a classified python script that creates instances of the SeaPea rootkit. It can be customized to follow a predefined behavior pattern once the infection is initiated.
  2. Attack Initiation — This is the second infection module that is part of the SeaPea Mac OS X rootkit. It is a script that is used to launch the infiltration attacks.

Configuration options include the rootkit startup directory, implant directory, persistence file, scripts list, loader and others. The CIA has made several installation types — fresh install (with a stop-file), update to existing infections and a separate “no delete” option that disallows the installer self-delete feature. If the installer encounters any errors during the infection phase a failure code is generated to the standard output. The SeaPea malware requires root access to successfully infiltrate the systems. Possible errors include: reformatted hard drive, version upgrade, incorrect parameters.

The rootkit follows a set infection routine by first checking for any kernel panics. The engine then determines the exact operating system and kernel version. Depending on the Mac OS X version the appropriate rootkit version is loaded. The loader initiates a self-diagnostic to make sure that all components work correctly. The engine assigns processes to three predefined categories: Normal, Elite (hidden from normal and elite processes, they cannot view their own activity) and Super-Elite (it can view all activities and is hidden from other processes). Process category changes are made using specialized commands.

Related Story: Ovidiy Stealer Is the New Hit Malware Sold for 7 Dollars

Aeris Is an Automated Implant Made by the CIA

Aeris automated implant By The CIA image

This is an automated implant written in the C programming language that works with a wide range of popular operating systems. This includes popular Linux distributions (like Red Hat Enterprise Linux, Debian and Ubuntu), as well as Solaris and FREEBSD. A builder is used to generate the individual strains and it helps the operators to launch Aeris against targets. Its features list include the following capabilities:

  • Standalone and Collide-based HTTPS LP support
  • SMTP protocol support
  • TLS Encrypted communications with mutual authentication (Appendices C and D)
  • Compatibility with the NOD Cryptographic Specification (Appendices C and D)
  • Structured command and control that is similar to that used by several Windows
    implant- (section IV)
  • Automated file exfiltration (section IV)
  • Simple and flexible deployment and installation (section III).

The Aeris implant needs to be deployed manually by the CIA operatives. It can report back to the spying agency via supplied network servers. This is done using a secure connection (employing the HTTPS protocol) as each implant instance has a unique certificate authority.

Further CIA Spyware Tools Expected From Wikileaks

Wikileaks continously post new information about the spying operations instituted by the CIA and other agencies of the United States of America. A large part of the tools have been made several years ago and are probably not being used actively any more. This can mean that the agencies are now using a new generation of tools which are still currently unknown to the general public and the security community. We presume that if such tools exist they are probably an evolved threat to the security of all computer users worldwide.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree