WikiLeaks: New ‘Grasshopper’ leak reveals ‘CIA malware’ tools used to hack Microsoft Windows
As a continuing part of its Vault7 series of leaked documents, the leaks site Wikileaks has released a new cache of 27 documents allegedly belonging to the US Intelligence agency the CIA.
Hop on the grass
A CLI-based framework named the Grasshopper has been built by the CIA to enable building “customized malware” payloads to break into Microsoft’s Windows operating system – even bypassing the anti virus.The leaked documents appear to be a user manual for spies only to be accessed by the members of the agency.
As per the documents, the framework enables agency members to easily create malware depending on the operating system and anti virus installed on the target machine. The Grasshopper framework then puts together several components that are sufficient to hack the target machine and delivers a Windows installer when done. The agency members can then run the installer on the target machine to install their own customized malware payloads.
“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” the documentation reads. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”
Wikileaks claimed that the toolset was designed to go undetected even from the world’s top anti-virus products. It has also claimed that the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also “to maintain persistence over infected Microsoft Windows computers.”
“Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption),” Wikileaks said in the press release.
One of these persistence mechanisms linked to Grasshopper is called Stolen Goods which demonstrates how the CIA adapted malware developed by cyber criminals across the globe and also modified it for their own use. One of these is Carberp – developed by Russian hackers.
“The persistence method and parts of the installer were taken and modified to fit our needs,” the leaked document noted. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”
If and how the CIA used these tools is unclear however, with Wikileaks saying these tools were used between 2012 & 2015. As of yet, Wikileaks has revealed the “Year Zero” batch which uncovered CIA hacking exploits for popular hardware and software, the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called “Marble” which revealed the source code of a secret framework designed to be anti-forensic – basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.