Short Bytes: Continuing their CIA leak further, Wikileaks has released a part of CIA Core Library called Marble Framework. It is used to scramble (obfuscate) text strings in the CIA malware to prevent forensic experts from tracing its source to the CIA. The leak includes a tool to reverse CIA text obfuscation which could help experts attribute previous attacks and malware to CIA.

I

t was less than a month ago when Wikileaks released the collection of CIA tools and malware used to exploit vulnerabilities in the hardware of various manufacturers.

While various smartphone makers including Google, Apple, etc. have confirmed they’ve released fixes for the related bugs, Cisco is yet to release a fix for more than 300 vulnerable switch models.

It’s evident from the Wikileaks’ recent activities that their Vault 7 goodie bag hasn’t emptied yet. On Friday, Wikileaks released 676 source code files that are a part of CIA’s Marble Framework, a set of tools to hide digital traces while performing hacking operations.

A part of the framework is an algorithm called Marble which is created to obfuscate – it scrambles and unscrambles data – any text fragments present in the viruses, trojans, worms, etc. created by the CIA. This is done to prevent them from being identified and attributed to CIA by forensic experts. Marble includes tools that could be used to undo the CIA text obfuscation.

Wikileaks says it’s the “digital equivalent” of CIA tool which is used to remove English text from US-made weapons before handing them over to “insurgents secretly backed by the CIA”.

Nicholas Weaver, a security researcher at UC Berkeley, told NY Times that it’s probably the most “technically damaging” leak by Wikileaks, “as it seems designed to directly disrupt ongoing CIA operations and attribute previous operations.”

The leaked source code also manifests obfuscate test samples in languages in non-English languages such as Chinese, Arabic, Russian, etc. A forensic expert trying to attribute a finding may assume the attacker is not an American native.

Marble forms a part of the Core Library of CIA’s malware code, and one should not confuse obfuscation and encryption, as there is a clear distinction between the two terms. According to the documents revealing CIA’s anti-forensics approach, they use obfuscation on data they want to “protect from automated scans”. On the other hand, “Encryption applies to data we wish to protect from our adversaries,” the document reads.

Wikileaks says that Marble doesn’t include any exploits or vulnerabilities. It’s only used for the purpose of obfuscation.

If you have something to add, drop your thoughts and feedback.