One of biggest scandals of 2017, the one involving WikiLeaks and the CIA, is escalating by the minute. It is now known that one of the teams of the agency specializes in reusing bits of code and techniques taken from… public malware samples.
The team in question is dubbed Umbrage and is part of the Remote Development Branch under the CIA’s Center for Cyber Intelligence. The team maintains a library of techniques taken from real malware used in actual attacks in the wild. This “borrowed knowledge” is applied in a range of CIA projects.
What Kind of Techniques Has Umbrage Borrowed from Real-Life Malware?
The file wiping implementation of the wiper malware Shamoon has been used. As we wrote yesterday, the wiper malware has just returned with a second version, along with a newly discovered piece dubbed StoneDrill.
Related: StoneDrill, Shamoon 2.0: Wiper Malware Getting Better
Shamoon’s first edition was used in a commercial, digitally-signed driver called RawDisk by a company named Eldos. The driver allows apps to overwrite files even if the files are locked by the operating systems. It only needs to be installed on a system.
What the Umbrage team did was analyze how the coders of Shamoon bypassed the license check for the RawDisk driver and applied the same disk wiping technique in their own piece named Rebound. More information is available on the Wikileaks page.
Curiously, it’s deemed possible that an anti-malware program or even a malware researcher could encounter CIA’s Rebound in the wild and actually identify it as a variation of Shamoon!
Besides Shamoon, the CIA’s special team has also been using other techniques and code snippets taken from known malware. The repository obtained by Umbrage could be used for a range of reasons such as data collection, stealth, bypassing AV products, persistence, privilege escalation, etc.
Related: Hacking Team Pitches Anti-Encryption, Galileo Tools to the FBI
Here are several other example: a persistence technique was taken from the HiKit rootkit; two anti-sandboxing techniques were borrowed from Trojan Upclicker and Nuclear Exploit Pack; a webcam capture technique was taken from the DarkComer RAT. Interestingly, other techniques were also taken but the exact pieces of malware they were taken from were not specified in the documents.
The code names for some of the internal projects that used repurposed malware are listed. However, there is almost no information about what they actually could do. There was one exception, however, dubbed Sandshark. It was found in another document as “Listening Post” software, NetworkWorld reports. Nonetheless, it’s not difficult to assume how the borrowed techniques were leveraged as it is somehow inferred by their functionality.
Not surprisingly, Umbrage was also lured by the code leaked from the Hacking Team in 2015.
Related: Speak(a)r Proof-of-Concept Malware Turns Headphones into Spies
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: