One of biggest scandals of 2017, the one involving WikiLeaks and the CIA, is escalating by the minute. It is now known that one of the teams of the agency specializes in reusing bits of code and techniques taken from… public malware samples.
The team in question is dubbed Umbrage and is part of the Remote Development Branch under the CIA’s Center for Cyber Intelligence. The team maintains a library of techniques taken from real malware used in actual attacks in the wild. This “borrowed knowledge” is applied in a range of CIA projects.
What Kind of Techniques Has Umbrage Borrowed from Real-Life Malware?
The file wiping implementation of the wiper malware Shamoon has been used. As we wrote yesterday, the wiper malware has just returned with a second version, along with a newly discovered piece dubbed StoneDrill.
Shamoon’s first edition was used in a commercial, digitally-signed driver called RawDisk by a company named Eldos. The driver allows apps to overwrite files even if the files are locked by the operating systems. It only needs to be installed on a system.
What the Umbrage team did was analyze how the coders of Shamoon bypassed the license check for the RawDisk driver and applied the same disk wiping technique in their own piece named Rebound. More information is available on the Wikileaks page.
Curiously, it’s deemed possible that an anti-malware program or even a malware researcher could encounter CIA’s Rebound in the wild and actually identify it as a variation of Shamoon!
Besides Shamoon, the CIA’s special team has also been using other techniques and code snippets taken from known malware. The repository obtained by Umbrage could be used for a range of reasons such as data collection, stealth, bypassing AV products, persistence, privilege escalation, etc.
Here are several other example: a persistence technique was taken from the HiKit rootkit; two anti-sandboxing techniques were borrowed from Trojan Upclicker and Nuclear Exploit Pack; a webcam capture technique was taken from the DarkComer RAT. Interestingly, other techniques were also taken but the exact pieces of malware they were taken from were not specified in the documents.
The code names for some of the internal projects that used repurposed malware are listed. However, there is almost no information about what they actually could do. There was one exception, however, dubbed Sandshark. It was found in another document as “Listening Post” software, NetworkWorld reports. Nonetheless, it’s not difficult to assume how the borrowed techniques were leveraged as it is somehow inferred by their functionality.
Not surprisingly, Umbrage was also lured by the code leaked from the Hacking Team in 2015.