WikiLeaks posts CIA documents on ways to install malware

WikiLeaks on Friday published a new package of leaked CIA documents outlining the Grasshopper framework, a customizable malware installer.

Grasshopper provides a number of tools to install weaponized code - known as a payload - onto a computer without being blocked by security. Though WikiLeaks describes Grasshopper as "a platform used to build customized malware payloads," the documents describe a system to load secret payloads designed elsewhere onto a computer and keep them running.

The Grasshopper package is modular and contains a number of different choices the CIA could use to install a payload on a system, taking advantage of a variety of different security flaws in Windows and hiding the payload in a number of different places. Some are designed to keep the payload on the computer to run multiple times. Others are designed to run a single time.

The newly released documents are user guides describing the functions and use of Grasshopper and different modules. They do not include source code that could be used to replicate the attacks.

WikiLeaks's description of the files emphasizes "Stolen Goods," a module that could be used with Grasshopper and one other program, that allows for "persistence" - keeping the payload on a computer for an extended period of time. Stolen Goods takes advantage of Carberp, third-party malware whose source code was leaked online.

Carberp is believed to be of Russian origin, but the source code is available online for anyone to download, so use of it would not necessarily indicate an attack originating in Russia. This is a notable difference from malware exclusively used by a single intelligence organization - like the X-Agent malware used by the Russian state group Fancy Bear in its believed attack on the Democratic National Committee last year - which can be used to tie an attack to a specific source.

The Stolen Goods user guide notes: "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."

The Grasshopper paradigm - using one piece of code as a payload and a separately designed piece of code to drop that payload onto a system - is very common among hackers of all stripes, including criminals and governments. Many expected that something like this existed in the CIA, but the leaked documents give deeper insight into the internal code names for different CIA malware components.

Grasshopper is the fourth set of CIA hacking documents released by WikiLeaks from an archive that the site says were taken from a secure network. Though the CIA has not directly acknowledged that the documents are authentic, lawmakers are treating them as such.

View desktop version