Documents published by WikiLeaks describe a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to spread malware on a targeted organization’s network.
The tool, named “Pandemic,” installs a file system filter driver designed to replace legitimate files with a malicious payload when they are accessed remotely via the Server Message Block (SMB) protocol. Since the tool has been specifically designed to infect corporate file sharing servers and turns them into a secret carrier for delivering malware to other persons on the target network, it has been named Pandemic.
What makes Pandemic interesting is the fact that it replaces files on-the-fly, instead of actually modifying them on the device the malware is running on. By leaving the legitimate file unchanged, attackers make it more difficult for defenders to identify infected systems.
“Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file,” the tool’s developers said.
Pandemic, which works on both 32-bit and 64-bit Windows systems, is initially installed on machines from which users download or execute files remotely via SMB. According to the documents leaked by WikiLeaks, the tool can replace up to 20 files at a time – each with a maximum size of 800Mb.
Pandemic developers also provide a DLL file that can be used to determine if the tool is installed, and uninstall it. The files published by WikiLeaks contain information that can be useful for checking a system for Pandemic infections. Experts also pointed out that there is an easy way to see if Pandemic is present on a device.
— Giuseppe `N3mes1s` (@gN3mes1s) June 1, 2017
WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” every Friday since March 23, except for last week of June. The tools exposed by the whistleblower organization include ones designed for hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.
The fact that WikiLeaks delayed the last dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.
— Jake Williams (@MalwareJake) June 1, 2017
Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”
WikiLeaks last dump was a CIA’s spyware framework, dubbed Athena – which “provides remote beacon and loader capabilities on target computers” – that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
The spyware has been designed to take full control over the infected Windows PCs remotely, allowing the CIA to perform all sorts of things on the target system, including deleting data or uploading malicious software and stealing data.
Since March, the whistleblowing group has published 10 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
- Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
- Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
- Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – dumped CIA hacking exploits for popular hardware and software.