Angelfire: CIA’ Undetectable Implants Infect Windows Boot Sector

Angelfire: CIA' undetectable malware infect Windows Boot Sector

WikiLeaks suffered a cyber attack earlier today, but that couldn’t stop the whistleblowing platform from publishing the latest trove of data of CIA’s Vault 7 series documents. Codenamed project Angelfire, the set of five hacking tools was developed to target unsuspecting users on Windows operating system including Windows XP and Windows 7.

According to leaked documents, the tools were named as 1: Solartime, 2: Wolfcreek, 3: Keystone (previously MagicWand), 4: BadMFS, and 5: the Windows Transitory File system.

1: Solartime

Solartime is a malware component whose sole purpose is to modify the partition boot sector of Windows XP or Windows 7 machines so that once Windows loads boot time device drivers, it can also run the Wolfcreek implant which can further execute other Angelfire implants on a targeted system.

2: Keystone

Keystore was once known as MaficWand. This implant is responsible for loading malicious user applications on Windows XP or Windows 7 that never touch the file system leaving “little forensic evidence that the process was ever running,” according to leaked documents.

3: BadMFS

BadMFS is a library that stores every implant and driver activated by Wolfcreek. In some cases, BadMFS can be detected but mostly “all files are both encrypted and obfuscated to avoid string or PE header scanning.”

4: Windows Transitory File system

Windows Transitory File system is used to install Angelfire to control the files by removing or adding from the implant.

The leaked documents are dated back to 2011.

Previously leaked Vault 7 documents

BothanSpy and Gyrfalcon: Steals SSH credentials from Linux & Windows devices
OutlawCountry and Elsa: Malware targeting Linux devices and tracking user geolocation
Brutal Kangaroo: CIA hacking tools for hacking air-gapped PCs
Cherry Blossom: CherryBlossom & CherryBomb: Infecting WiFi routers for years
Pandemic: A malware hacking Windows devices
AfterMidnight and Assassin: CIA remote control & subversion malware hacking Windows
Dark Matter: CIA hacking tool infiltrating iPhones and MacBooks
Athena: A malware targeting Windows operating system
Archimedes: A program helping CIA to hack computers inside a Local Area Network
HIVE: CIA implants to transfer exfiltrated information from target machines
Grasshopper: A malware payloads for Microsoft Windows operating systems
Marble: A framework used to hamper antivirus companies from attributing malware
Dark Matter: A CIA project that infects Apple Mac firmware
Highrise: An Android malware spies on SMS Messages
Aeris, Achilles, SeaPea: 3 malware developed by CIA targeting Linux and macOS
Dumbo Project: CIA’s project hijacking webcams and microphones on Windows devices
CouchPotato Tool: Remotely Collects Video Streams from Windows devices
ExpressLane implant: CIA Collected Biometric Data from Partner Agencies

Related Posts