Home > Cyber News > WikiLeaks Exposes CouchPotato CIA Spying Tool in a New Vault 7 Leak

WikiLeaks Exposes CouchPotato CIA Spying Tool in a New Vault 7 Leak

Yesterday WikiLeaks exposed another utility from the Vault 7 software collection known as the CouchPotato spying tool. It is used by the intelligence agency to spy on Internet video streams which is a serious privacy invasion.

Related Story: CIA Spies on Mac OS X and Linux via Achilles, SeaPea and Aeris Tools

WikiLeaks Reveals CouchPotato, yet Another CIA Spying Tool

WikiLeaks exposed the latest hacking tool used by the CIA to spy on computer users worldwide. Experts worldwide and the journalists call it the CouchPotato spying tool as that is the name given to it in the leaked user manual. The agency uses it to spy live network streams across the Internet. The document reveals information about the initial release with version number 1.0, the document itself bears the date 14 February 2014. We speculate that newer versions might have been developed in the meantime.

The manual describes CouchPotato as the following:

(S//NF) CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It
provides the ability to collect either the stream as a video file (AVI) or capture still
images (JPG) of frames from the stream that are of significant change from a previously
captured frame. CouchPotato utilizes ffmpeg for video and image encoding and decoding
as well as RTSP connectivity. In order to minimize size of the DLL binary, many of the
audio and video codecs along with other unnecessary features have been removed from
the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm,
has been incorporated into ffmpeg’s image2 demuxer to provide image change detection
capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collect
compatible loader.

Technical Details About the CouchPotato CIA Spying Tool

To effectively run the spying tool a loader component is required. The developers note that the application has been tested using ShellTerm 2.9.2 as it was the only operationally ready ICE v3 loader. This is required to initiate the network streams to the hackers. Additional requirements include: Python, a *NIX host), prepared environment and a target host process.

The way CouchPotato works is by following the following strategy:

  1. Initial Loader Infection ‒ CouchPotato is carried as a payload via a compatible loader application. The described method uses Python scripts that uses ready-made network infrastructure, the compromised hosts connect to the CIA-controlled servers as part of the early infection.
  2. Process Injection ‒ CouchPotato can be injected into various processes. The leaked manual suggests not to use any Windows services as they may cause system stability and performance issues. The CIA operatives use specific strings to configure the hosts. Examples include the video source input, file storage information and output storage.
  3. Optional Settings ‒ CIA has developed several optional parameters that can be issued at will. They include setting up detailed logging of all events of interest and the choice of format ‒ images or video capture.

Effectively the CouchPotato CIA spying tool can be used in cases where the user may be broadcasting their camera over the Internet or are listening/watching an Internet stream. It is also compatible with the most popular protocols used by media servers and related devices that are usually used by media and Internet service providers.

Related Story: Rurktar Malware Discovered – Spying Tool Under Development

Consequences of the CouchPotato CIA Spying Tool Infections

Computer users with active CouchPotato infections may not sense that they have become victims of the CIA spying tool. While this utility may not seem like having a large impact, most users are probably unaware that they constantly utilize network streams. The application allows the operatives to retrieve the captured traffic in different formats (audio, video, video with audio, images) according to their interest.

Users can protect themselves by employing a state of the art anti-spyware solution. It can effectively guard against all type of computer viruses and related threats and remove active infections with the click of the mouse.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

1 Comment
  1. y6ps

    No matter how many google searches you make, they know what to keep off. you will only find accessible versions to couch_potato and HammerDrill on a browser that does not have a web limiter like google.


Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree