Below the details for the five components composing the AngelFire framework:

1. Solartime — It is the component that modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.

2. Wolfcreek — It a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications

3. Keystone — It is part of the Wolfcreek implant that leveraged DLL injection to execute the malicious user applications directly into system memory without dropping them into the file system. It is responsible for starting malicious user applications.

4. BadMFS — It is a is a library used to create a covert file system at the end of the active partition (or in a file on disk in later versions). It is used as a repository for the drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning.

5. Windows Transitory File system — It is a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc.

Below the list of release published by Wikileaks since March:

• AngelFire – 31 August, 2017
• ExpressLane – 24 August, 2017
• Couchpotato – 10 August, 2017
• Dumbo– 03 August, 2017
• Imperial – 27 July, 2017
• UCL/RAYTHEON – 19 July, 2017
• HighRise – 13 July, 2017
• BothanSpy and Gyrfalcon – 06 July, 2017
• OutlawCountry – 30 June, 2017
• ELSA malware – 28 June, 2017
• Cherry Blossom – 15 June, 2017
• Pandemic – 1 June, 2017
• Athena – 19 May, 2017
• AfterMidnight – 12 May, 2017
• Archimedes – 5 May, 2017
• Scribbles – 28 April, 2017
• Weeping Angel – 21 April, 2017
• Hive – 14 April, 2017
• Grasshopper – 7 April, 2017
• Marble Framework – 31 March, 2017
• Dark Matter – 23 March, 2017

Pierluigi Paganini

(Security Affairs –  Wikileaks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]