WikiLeaks released Vault 7 Grasshopper which constitutes 27 documents from the CIA’s Grasshopper framework. The whistleblowing site revealed that the platform is used to build customized malware payloads for Microsoft Windows operating systems.
The Grasshopper framework is accompanied by a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently. A good example would be maintaining persistence on the computer differently, depending on what features or capabilities are selected in the process of building the bundle.
Grasshopper also provides a very flexible language in defining rules that are used to complete a pre-installation survey of the target device. This makes sure that the payload is only installed if the target has the right configuration.
The unique language enables CIA operators to build simple or very complex logic that is used to determine certain conditions about the target device. Such include the type of Microsoft Windows or Antivirus product that is running on the device.
The framework also allows tools to be installed using a collection of persistence mechanisms which are altered using a variety of extensions. The Automated Implant Branch for the Grasshopper puts special emphasis on avoiding personal security products. This makes sure that any personal security product like MS Security Essentials, Symantec Endpoint or Kaspersky IS on target machines do not detect Grasshopper framework.
The CIA uses various persistence mechanisms, such include stolen goods which have components that were derived from malware known as Carberp. This confirms that the CIA recycles malware found on the Internet. Carberp is a suspected Russian organized crime rootkit. Its source code was published online.
The CIA acknowledges that the persistence method and parts of the installer were derived and modified to fit the agency’s needs. However, the agency claims that most of the Carberp were not used in Stolen Goods. But the modification proves that CIA reuses portions of malware that publicly available.
HackingTeam, which is an Italian company, observed that the leaked documents provide insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers. WikiLeaks has provided directions for those who intend to defend their systems and prevent any compromise from intruders.