WikiLeaks published new documents pertaining to a CIA hacker tool, dubbed Angelfire. The CIA’s Angelfire user guide which WikiLeaks managed to get its hands on shows that Windows XP and Windows 7 are vulnerable to the exploit toolkit but it’s not clear whether or not Windows 10 users are safe from it.
WikiLeaks describes the Angelfire project as follows:
“Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File System. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load an execute custom implants on target computers running the Microsoft Windows operating system.”
Here’s a breakdown of what each component of Angelfire does:
- Solartime: This component modifies the partition boot sector so that when Windows loads boot time device drivers it’ll also load Wolfcreek.
- Wolfcreek: This component is started by Solartime and includes the Keystone software which runs malicious applications. Wolfcreek can load user-mode applications and drivers.
- Keystone: This software starts user applications and never touches the file system (aside from the possibility of paging) and therefore leave hardly any evidence, if any. Keystone starts processes as svchost.exe and, when viewed in the task manager, all of its properties will be consistent with a real instance of svchost.exe including image path (unless Windows is installed in a path or partition) and parent process.
- BadMFS: This is a covert file system created at the end of the active partition that’s used to store all drivers and implants that Wolfcreek will start. The files in this file system are all encrypted and obfuscated to avoid string or PE header scanning.
- Windows Transitory File System: This component is the method of installing Angelfire. The system allows an operator to create transitory files for specific actions including initial installation or adding and removing files from Angelfire.