The WikiLeaks whistleblowing platform published new documents on Thursday from the Vault 7 series, which contain information on the hacker tool which the CIA used to load and execute implants targeting computers using Microsoft Windows operating systems.
Dubbed as CIA Angelfire, the project is a malware framework developed to infect Windows computers.
The leaked Angelfire user guide shows that Windows XP and Windows 7 are vulnerable to the exploit toolkit but it’s not clear whether or not Windows 10 users are safe from it.
According to the manual, Angelfire is made up of five components, including Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system, each with its own purpose:
↦ Solartime - Malware that modifies the boot sector to load Wolfcreek.
↦ Wolfcreek - Self-loading driver that can load other drivers and user-mode applications.
↦ Keystone - Component that's responsible for starting other implants (a technical term for malware).
↦ BadMFS - a covert file system that is created at the end of the active partition. AngelFire uses BadMFS to store all other components. All files are obfuscated and encrypted.
↦ Windows Transitory File System - a newer component that's an alternative to BadMFS. Instead of storing files on a secret file system, the component uses transitory (temporary) files for the storage system.
WikiLeaks describes the Angelfire project as follows:
“Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, Angelfire is a persistent framework that can load an execute custom implants on target computers running the Microsoft Windows operating system.”
The CIA reportedly uses Angelfire to load and execute malicious user applications on target computers. One of the tool's components modifies the boot sector, allowing the implants to be downloaded simultaneously with Windows' boot time device drivers. Loaded implants never touch the file system, so it is rather difficult to track the process.