Vault 7 is a series of documents and tools released by WikiLeaks, that gives information about detailed activities and capabilities of the US CIA to perform spying and cyber warfare. Today, 31 August 2017, Wikileaks revealed another tool dubbed AngelFire that attacks windows machine to gain persistent access remotely.

How it Works?

AngelFire mainly consist of 5 components namely Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system, each doing its job one by one to carry out the attack.

Solartime alters the partition boot sector loading and executing the second component – Wolfcreek. This process is done during each startup

alters the partition boot sector loading and executing the second component – Wolfcreek. This process is done during each startup Wolfcreek a self-loading driver that loads other AngelFire implants like Keystone and other applications

a self-loading driver that loads other AngelFire implants like Keystone and other applications Keystone is a component that starts malicious user applications.

is a component that starts malicious user applications. BadMFS is the component that creates a covert covert file system which will store everything that are started by wolfcreek

is the component that creates a covert covert file system which will store everything that are started by wolfcreek Windows Transitory File System the new method of dropping and installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran. It always disguises as “C:Windowssystem32svchost.exe” and can thus be detected in the Windows task manager, if the operating system is installed on another partition or in a different path. – Wikileaks

Inorder to avoid detection by scanners, all the files are hidden in covert file systems and are encrypted and obfuscated which makes it very difficult to identify.

Supported OS

As per wikileaks, this persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system – XP or Win7. AngelFire need administrator privilages for successfull installation and execution.

Links to Download Documentation

More information can be found at Wikileaks

Download AngelFire Userguide

Mad MFS Developer Guide

Wolfcreak Userguide

Wolfcreak Test Matrix

Comments

comments