These leaked documents relate to a CIA project codenamed ‘Imperial’, they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions. *
The three hacking tools are:
- Achilles – A tool to trojanize a legitimate OS X disk image (.dmg) installer;
- SeaPea – A Stealthy Rootkit For Mac OS X Systems;
- Aeris – An Automated Implant For Linux Systems.
The 27th July 2017 WikiLeaks release overview:
“Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.”
Three documents were also published alongside this release:
Achilles — User Guide
The malware has been tested to be compatible with Intel processors running 10.6 OS.
SeaPea — User Guide
This hack was written in 2011. It is listed as “tested” on OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite, and Super-Elite. ** The commands in SeaPea are executed as Elite processes.
Aeris — Users Guide
The coding for the Aeris hacking tool was done in C and it affects the following systems:
Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386). ***
Previous and subsequent Vault 7 WikiLeaks dumps synopses are available on WikiLeaks and also see further analysis of Imperial at HackRead and The Hacker News.
Header image courtesy of The Hacker News (Twitter @TheHackersNews) & in-article image courtesy of HackRead (Twitter @HackRead)
* Content courtesy of Pierluigi Paganini “Security Affairs” article WikiLeaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project
** References from content courtesy of HackRead – Twitter @HackRead
*** References from content courtesy of The Hacker News – Twitter @TheHackersNews