WikiLeaks Releases More Info On CIA Malware

Uploaded on 2017-06-20 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

WikiLeaks has released documentation on another CIA cyber-weapon. Codenamed Pandemic, this is a tool that targets computers with shared folders, from where users can download files via SMB 

The way Pandemic works is quite ingenious and original, and something not seen before in any other malware strain.

Pandemic was developed for computers with shared folders

According to a leaked CIA manual, Pandemic is installed on target machines as a "file system filter driver." This driver's function is to listen to SMB traffic and detect attempts from other users to download shared files from the infected computer.

Pandemic will intercept this SMB request and answer on behalf of the infected computer. Instead of the legitimate file, Pandemic will deliver a malware-infected file instead (SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files).

According to the CIA manual, Pandemic can replace up to 20 legitimate files at a time, with a maximum size of 800MB per file, and only takes 15 seconds to install. Support is included for replacing both 32-bit and 64-bit files. The tool was specifically developed to replace executable files, especially those hosted on enterprise networks via shared folders.

The role of this cyber-weapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

Detecting "patient zero" is hard, but not impossible

Once Pandemic has infiltrated a network, it's very hard to detect the source of the original infection and clean the "patient zero" host.

This is because Pandemic's file system driver will know when a local user is manually accessing one of the shared files and will execute the clean version of the file, and not the malware-laced version it delivers via SMB. In order to detect Pandemic-infected PCs, sysadmins must download and scan files from other computers via SMB (shared folders).

Incident response teams who fear or suspect they might be prone to CIA surveillance can search Windows registry keys for the above mini-filter drivers using Windows Flt* functions, as a sign of infection.

WikiLeaks' dump is part of a larger series called Vault 7, which contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders.

Bleeping Computer:

You Might Also Read:

WikiLeaks Has Published The CIA’s Secrets For Infecting Windows:

Wikileaks Vault 7 And The CIA Hacking Arsenal:

CIA leak 'absolutely' an 'inside job':

 

« Canada Prioritizes Cyber-Attack
Cybersecurity Threats Are Changing Recruitment »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

SecureAuth

SecureAuth

SecureAuth delivers cutting edge identity and information security solutions for cloud, mobile, web, and VPN systems.

Tech Industry Forum (TIF)

Tech Industry Forum (TIF)

Tech Industry Forum is a not-for-profit, membership driven trade body. We bring together end users and some of the UK’s leading cloud, software, platform, infrastructure, and service providers.

StrongKey

StrongKey

StrongKey (formerly StrongAuth) is a leader in Enterprise Key Management Infrastructure, bringing new levels of capability and data security at a price point significantly lower than other solutions.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

CI-CERT

CI-CERT

CI-CERT is the national Computer Incident Response Team for Cote d'Ivoire.

SQN Banking Systems

SQN Banking Systems

SQN Banking Systems fraud detection software products are a critical step towards overcoming the growing problem of fraud across the various payment channels.

BwCIRT

BwCIRT

BwCIRT is the Computer Incident Response Team (CIRT) for Botswana and provides an official point of contact for dealing with computer security incidents.

Drootoo

Drootoo

Drootoo is transforming businesses and making them high performing entities with its unified cloud platform.

DataEndure

DataEndure

DataEndure helps companies build digital resilience so that their critical information assets are protected and available to the right people, at the right time.

NodeSource

NodeSource

NodeSource helps organizations run production-ready Node.js applications with greater visibility into resource usage and enhanced awareness around application performance and security.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Pentest Limited

Pentest Limited

Pentest Limited provide information security consultation, penetration testing & red teaming services to companies across the globe.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

Robo Shadow

Robo Shadow

Robo Shadow are trying to bridge the gap between the top tier organisations that can afford everything and everyone else who has to “Make it up as they go along” when it comes to Cyber.

BlackFog

BlackFog

BlackFog is a leader in device data privacy, data security and ransomware prevention. Our behavioral analysis and anti data exfiltration technology stops hackers before they even get started.

LogicMonitor

LogicMonitor

LogicMonitor provides SaaS-based IT infrastructure monitoring services for on-premises and multi-cloud environments.