The latest addition to the Vault 7 leak by CIA is the set of 27 documents of the Grasshopper framework. CIA uses the framework to create custom malware that behaves according to the configuration of the target system. Grasshopper also helps CIA to implement various persistence mechanisms for the malware.

We woke up from our weekend’s hangover only to realize that Wikileaks dropped another CIA hacking bonanza last Friday. Now, for the latest leak, Wikileaks has disclosed 27 documents from Grasshopper framework – a platform used by CIA to design malware payloads for Microsoft Windows.

Grasshopper framework helps a CIA operator with modules that could be used to build custom malware that behaves differently depending on how they are configured during the creation process.

For instance, a malware can installed using various persistence mechanisms – methods used by a malware to live on a system for long – and other features such as encryption. Stolen Goods, a persistence mechanism, was crafted by CIA using chunks of publicly available Russian rootkit Carberp.

The framework also describes the rules to “perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration.”

It’s quite easy for CIA operators to determine the Windows version running on the target machine, or if an anti-virus software is installed. The framework’s Automated Requirements Branch (AIB) puts emphasis on the fact that Grasshopper tools shouldn’t get affected by personal security products (PSP), for example, MS Security Essentials, Kaspersky Internet Security, Symantec Endpoint.

Wikileaks said that the release of the framework provides an insight into CIA’s building process of various espionage tools. It’s ringing a bell for the ones wanting to protect their systems from being compromised.

The documents related to the Grasshopper framework can be found here.