According to the leaked user manual, Angelfire is comprised of five components; Solartime, malware that modifies a computer's boot sector in order to load Wolfcreek; Wolfcreek, a self-loading driver for loading other drivers and user-mode applications; Keystone, responsible for starting other implants (technical term for malware); BadMFS, a covert file system which stores all other components, and encrypts and hides them.
RELEASE: CIA 'Angelfire' covert Windows malware system https://t.co/Kctemz9XfT #vault7 pic.twitter.com/aajwOLDQ5H
— WikiLeaks (@wikileaks) August 31, 2017
In essence, Angelfire is but another resource in the CIA's apparently vast hacking arsenal, aimed at Windows users.
However, there is much to suggest the tool is a sub-par effort — despite BadMFS' obfuscatory promise, and the manual's claim that Angelfire aims to provide a "robust environment" for users, its authors concede there are "some limitations" they should be aware of prior to use.
A lengthy table listing issues then-known to the tool's development team follows.
Sloppy Work
The litany of bugs identified by developers suggests Angelfire could even fail at the first hurdle. Its initial compotnent, Solartime, does a heuristic check of an operating system at boot time to determine if it's possible to patch it — yet, it's possible this check will succeed, while the OS has changed in a manner that would cause a crash if patched.
"The heuristic algorithm is imperfect and can still have false positives. Solartime has a more restrictive setting that will only allow the patch to proceed if the OS has not changed. The downside is, if a new service pack or hotfix is applied, Solartime will not launch on bootup," the manual says.
One-liner for testing the presence of CIA's AngelFire malware #WikiLeaks
— dalmoz (@dalmoz_) August 31, 2017
Grab here: https://t.co/4iKfDgYijC pic.twitter.com/Inb2t6THfb
Furthermore, BadMFS cannot be installed if there is insufficient space on a drive, raising the prospect users could be alerted to the existence of the allegedly covert file with a standard system warning that it could not be copied. To remedy this prospective blunder, the manual suggests shrinking the file, to a minimum of two megabytes in size.
Other glitches could similarly notify users of the presence of malicious software installed — or in the process of being installed — on their computers.
For example, anti-virus and cybersecurity products could detect the presence of BadMFS by the existence of a file named "zf" — and users may see popup alerts if one of the Angelfire components crashed, which other issues suggest is a likely eventuality.
In addition, the Keystone component always disguises as a "C:\Windows\system32\svchost.exe" process, which would be inconsistent with the actual svchost.exe path on a system
WikiLeaks/CIA docs say Angelfire works only on XP, Win7, and Server 2008 R2 (64bit) pic.twitter.com/vUZrRb5cHV
— Catalin Cimpanu (@campuscodi) August 31, 2017
Other issues have no remedy — for instance, if Angelfire's container file is deleted, but Angelfire has not been uninstalled, it will continue to work on reboot until the disk clusters the container file occupies are overwritten by the computer's file system.
If this happens, the integrity check of the container file will fail, and Angelfire will allow the boot process to continue as normal — again allowing users to unthinkingly evade the tool's clutches.
In sum, Angelfire was evidently far from the CIA's best work — other tools in the intelligence agency's technological armory, documented in previous Vault 7 releases, appear to have been far more effective.
We Have the Technology
- CherryBlossom was a tool via which the agency sought to leverage common vulnerabilities in WiFi routers, sold by companies such as D-Link and Linksys. The techniques ranged from hacking network passwords to rewriting device firmware to remotely monitor traffic flowing across a target's network. The CIA's router-hacking approach began with a tool — "Claymore" — that scanned a network to identify devices, and then launched two exploiters — "Tomato" and "Surfside" — which stole WiFi devices' administrative passwords.
- HighRise was an Android application designed for Android mobile devices, which provided a redirector function for SMS messaging — in effect, allowing the CIA to intercept and redirect any text messages received by a particular device.
- Dumbo allowed for the identification, control and manipulation of webcams and computer microphones, on any computer running Microsoft Windows. CIA agents could record and monitor all audio/visual traffic from and to that resource, and delete or manipulate recordings to hide actual evidence of the intrusion operation.
- DarkSeaSkies allowed agents to execute malicious code from an USB, CD, DVD, or portable hard drive, during a Mac's boot-up, even if the Mac's firmware is password-protected.
