WikiLeaks released a new set of CIA Vault 7 leaks, publishing information on two CIA malware frameworks known as “AfterMidnight” and “Assassin.”
WikiLeaks published documents on malware titled “AfterMidnight” and “Assassin” which according to WikiLeaks are designed to operate within the Microsoft Windows operating system. Both programs are designed to monitor and report actions on the host computer and execute actions specified by the CIA.
“‘AfterMidnight’ allows operators to dynamically load and execute malware payloads on a target machine,” writes WikiLeaks on their website. “The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of ‘Gremlins’ via a HTTPS based Listening Post (LP) system called ‘Octopus’.”
“Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory,” WikiLeaks explains. “‘Gremlins’ are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins. The special payload ‘AlphaGremlin’ even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine.”
Describing the “Assassin” malware, WikiLeaks said, “‘Assassin’ is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process.”
“‘Assassin’ (just like ‘AfterMidnight’) will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment,” they report. “The ‘Assassin’ C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as ‘The Gibson’ and allow operators to perform specific tasks on an infected target.”