CIA Developed Windows Malware That Alters Boot Sector to Load More Malware

Share this…

WikiLeaks published today documentation on the CIA Angelfire project, a malware framework developed to infect Windows computers.

According to a leaked CIA manual, Angelfire is made up of five components, each with its own purpose:

↦ Solartime – Malware that modifies the boot sector to load Wolfcreek.
↦ Wolfcreek – Self-loading driver that can load other drivers and user-mode applications.
↦ Keystone – Component that’s responsible for starting other implants (technical term for malware).
↦ BadMFS – a covert file system that is created at the end of the active partition. AngelFire uses BadMFS to store all other components. All files are obfuscated and encrypted.
↦ Windows Transitory File System – a newer component that’s an alternative to BadMFS. Instead of storing files on a secret file system, the component uses transitory (temporary) files for the storage system.

According to leaked documents, Angelfire works on 32-bit and 64-bit versions of Windows XP and Windows 7, and on 64-bit versions of Windows Server 2008 R2.

Not the CIA’s best work

The Angelfire framework is just another tool in the CIA’s arsenal for hacking Windows users. Previous tools include Grasshopper, ELSA, AfterMidnight, and Assassin.

Compared to other tools, Angelfire doesn’t appear to be that polished. The leaked documents include a long list of issues.

For example, security products could detect the presence of a BadMFS file system by a file named “zf” and users may see popup alerts when one of the Angelfire components crash.

In addition, the Keystone component always disguises as a “C:\Windows\system32\svchost.exe” process, cannot dynamically adjust this path if Windows is installed on another partition (e.g.: D:\), and DLL persistence on XP is not supported. All in all, this is not the CIA’s best work.

Previous Vault 7 leaks

Today’s dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks “Vault 7” dumps:

ᗙ Weeping Angel – tool to hack Samsung smart TVs
ᗙ Fine Dining – a collection of fake, malware-laced apps
ᗙ Grasshopper – a builder for Windows malware
ᗙ DarkSeaSkies – tools for hacking iPhones and Macs
ᗙ Scribble – beaconing system for Office documents
ᗙ Archimedes – a tool for performing MitM attacks
ᗙ AfterMidnight and Assassin – malware frameworks for Windows
ᗙ Athena – a malware framework co-developed with a US company
ᗙ Pandemic – a tool for replacing legitimate files with malware
ᗙ CherryBlossom – a tool for hacking SOHO WiFi routers
ᗙ Brutal Kangaroo – a tool for hacking air-gapped networks
ᗙ ELSA – malware for geo-tracking Windows users
ᗙ OutlawCountry – CIA tool for hacking Linux systems
ᗙ BothanSpy & Gyrfalcon – CIA malware for stealing SSH logins
ᗙ HighRise – Android app for intercepting & redirecting SMS data
ᗙ Achilles, Aeris, & SeaPea – tools for hacking Mac & POSIX systems
ᗙ Dumbo – tool to disable webcams and microphones
ᗙ CouchPotato – tool to capture remote video streams.