AngelFire framework implants backdoor

At the Central Intelligence Agency (CIA) a team of hackers allegedly used a Windows hacking tool against targets to gain persistent remote access.

WikiLeaks today revealed details about a new implant developed by the CIA, targeting computers running Windows, as part of its Vault 7 leaks.

Targeting Windows computers, AngelFire framework implants a persistent backdoor by modifying their partition boot sector.

AngelFire framework consists of the five following components, according to Hacker News:

  • Solartime — it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.
  • Wolfcreek — a self-loading driver that loads other drivers and user-mode applications
  • Keystone — a component that utilises DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.
  • BadMFS — a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.
  • Windows Transitory File system — a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

AngelFire requires administrative privileges on a target computer for successful installation, according to a user manual leaked by WikiLeaks, and the 32-bit version of implant works against Windows XP and Windows 7.

Written by Leah Alger