WikiLeaks has just dumped the next set of documents in its Vault 7 series. This time the document set is dubbed “Grasshopper,” and it showcases a malware platform that purportedly enables the CIA to target devices running on Microsoft Windows. Today’s set of leak documents comes a couple of weeks after the organization leaked documents showing how the CIA was targeting Apple devices.
In other words, you can pretty much bet that the intelligence agency has tools that target every major operating system used by the average consumer.
WikiLeaks details Grasshopper in Vault 7
In a statement, WikiLeaks described the Grasshopper framework as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” Today’s document dump contains 27 documents about Grasshopper, which is apparently a group of building blocks CIA hackers can use to build a customized piece of malware that will behave differently depending on which features the builder chooses to highlight while constructing it.
WikiLeaks also said that Grasshopper comes with “a very flexible language” so the operative can define rules within the malware to “perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration.” If this is true, it means that the malware can be programmed to install itself on a device only if that device meets a set of requirements specified by the operator when he built the malware.
How Grasshopper targets Microsoft Windows devices
The organization explains that this language enables the CIA to build anything from a very simple piece of malware to one with “very complex logic.” The malware is then able to figure out the specifics of any target device, such as if the device is running a particular version of Microsoft Windows or whether there is a specific antivirus software that’s running. According to WikiLeaks, the tools pay special attention to avoiding detection by antivirus products such as MS Security Essentials, Kaspersky IS, Symantec Endpoint and others.
This latest set of documents in the Vault 7 series contains “insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers,” WikiLeaks summed up its latest purported leak. The 27 documents also give directions for identifying existing compromises that might already be on a device.
CIA took from Russian mafia to build Grasshopper, WikiLeaks claims
WikiLeaks also said that one of the “persistence mechanisms” described in the documents is “Stolen Goods.” According to the documents, “Stolen Goods” is made up of components that “were taken from malware known as Carberp, a suspected Russian organized crime rootkit.” The organization alleges that this confirms the CIA recycles malware circulated on the Internet.
“The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware,” one of the documents states.
According to WikiLeaks, the CIA acknowledges that the Carberp persistence method and some pieces of the installer were modified for Stolen Goods, although the agency also reportedly claims that most of Carberp wasn’t used in it.
Stolen Goods allegedly goes after a Microsoft Windows devices’ boot sequence by loading a driver onto the device and enabling it to keep running code after the boot sequence is complete.
After the last set of Vault 7 documents showcased the CIA’s alleged targeting of iOS devices and Macs, Apple responded by saying that it had patched a lot of the vulnerabilities that were identified in them. It will be interesting to see if Microsoft comes back with similar commentary now that its devices are being targeted.