A new batch of documents from Vault 7 leaks revealed details about a new implant, dubbed AngelFire that was used by CIA agents to infect systems running Windows OS.
AngelFire was part of the CIA arsenal, the hacking tool was used to gain persistence on the infected systems.
The documents describe the AngelFire framework implants as a persistent backdoor that infects the partition Boot Sector. According to the user manual leaked by WikiLeaks, AngelFire requires administrative privileges to compromise the target system.
“Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.” reads Wikileaks.
“Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).”
Below the details for the five components composing the AngelFire framework:
1. Solartime — It is the component that modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.
2. Wolfcreek — It a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications
3. Keystone — It is part of the Wolfcreek implant that leveraged DLL injection to execute the malicious user applications directly into system memory without dropping them into the file system. It is responsible for starting malicious user applications.
4. BadMFS — It is a is a library used to create a covert file system at the end of the active partition (or in a file on disk in later versions). It is used as a repository for the drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning.
5. Windows Transitory File system — It is a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc.
According to the documents, the 32-bit version of the CIA implant works against Windows XP and Windows 7, while the 64-bit implant can be used to infect Server 2008 R2, Windows 7.
Below the list of release published by Wikileaks since March: