Malware

3 hacking tools Achilles, SeaPea and Aeris used by CIA: Wikileaks

WikiLeaks has exposed hacking tools targeting the Mac and Linux operating systems in the latest of its series of leaks allegedly from the US Central Intelligence Agency.

A Central Intelligence Agency (CIA) project called “Imperial” included three hacking tools for infiltrating the Mac and Linux operating systems, according to the latest “Vault 7” leaks.

The three hacking tools are:

  • Achilles — A tool to trojanize a legitimate OS X disk image (.dmg) installer.
  • SeaPea — A Stealthy Rootkit For Mac OS X Systems
  • Aeris — An Automated Implant For Linux Systems

Achilles:

Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.

According to the documents, Achilles v1.0 was developed in 2011, the CIA experts only tested it on Mac OS X 10.6 (Apple Snow Leopard OS launched n 2009).

The tool is a shell script written in Bash that gives the operators “one or more desired operator specified executables” for a one-time execution.

As soon as a targeted user downloads an infected disk image on his/her Apple computer and installs the software, Th first time user runs the application all the malware will run after real application has launched.

Once the malware is executed, it will erase any trace of the Achilles from the downloaded application, so that the downloaded application turned into un-trojaned application.

Now malware and downloaded application are no longer connected, uninstallation of downloaded application will not remove malware.

SeaPea:

The SeaPea hacking tool is a Mac OS X Rootkit that provides CIA operators Stealth and tool launching capabilities.
Hides files/directories, socket connections, processes.

According to the documents, SeaPea requires Mac OS X 10.6 (Snow Leopard) Operating System (32 bit or 64-bit Kernel Compatible); Mac OS X 10.7 (Lion) Operating System

SeaPea has mainly to part :

  • BuildInstaller.py: This python script builds the target installer
  • installer: Generated by BuildInstaller.py.This shell script is used to install SeaPea on a target computer.

SeaPea will remain on the system unless one of the following conditions are met:

  1. The hard drive is reformatted.
  2. An upgrade to the next major version (e.g., 10.8).
  3. The rootkit detects that it is not functioning correctly.

SeaPea is very dangerous because The installer script will generate the file “/var/log/secure.ptm.log.bz2.” This file is generated as a “stop file” for CIA operators in the case that SeaPea does a self-uninstall. This is EXTREMELY important because we don’t want CIA operators to reinstall if SeaPea uninstalled itself due to an unrecoverable error such as kernel panicking.

Aeris:

Aeris is an automated implant written in C that supports a number of POSIX-based systems, perhaps named after a character in the Final Fantasy VII game. And it appears to be quite dangerous. Aeris could be used to backdoor Linux-based Operating Systems, including Debian Linux 7 (i386), Debian Linux 7 (amd64),Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64),Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386).


Below the list of features provided by Aeris:

  • Configurable beacon interval and jitter
  • Standalone and Collide-based HTTPS LP support
  • SMTP protocol support
  • TLS Encrypted communications with mutual authentication
  • Compatibility with the NOD Cryptographic Specification
  • Structured command and control that is similar to that used by several Windowsimplant
  • Automated file exfiltration
  • Simple and flexible deployment and installation

The Aeris distribution consists of a set of Python utilities together with a set of binaries, with one binary per platform listed above. These binaries (which we call unpatched binaries) are fully functional but are not deployable because they do not contain configuration information. Instead, they contain placeholders (GUIDs and static buffers)that will be overwritten with the appropriate information at build time. The Aeris builder generates a valid configuration based on user input and uses that configuration to create a deployable Aeris instance.

Aeris is a builder that CIA operators can use to generate custom implants, it does not have a separate installer and in order to be deployed operators just need to place an Aeris binary in the desired directory.

Jay Prakash Kumar

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Facebook or Twitter. Jay Prakash is a founder of Professional Hacker, Technical Writer, Software Developer, Security Analyst and Technology Enthusiast with a keen eye on the Cyber-world and other technology-related developments.