Vault 7: UCL / Raytheon

WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21^st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11^th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.

Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

Leaked Documents

• (S//NF) CSIT 15083 — HTTPBrowser
• (S//NF) CSIT 15085 — NfLog
• (S//NF) Symantec — Regin – Stealthy Surveillance
• (S//NF) FireEye — HammerToss – Stealthy Tactics
• (S//NF) VB — Gamker
• (S//NF) SentinelOne – Rombertik
• (S//NF) FireEye – Window into Russian Cyber Ops
• (S//NF) MalwareBytes — HanJuan Drops New Tinba
• (S//NF) Cisco — Rombertik
• (S//NF) RSA — Terracotta VPN
• (S//NF) Dell SecureWorks — Sakula
• (S//NF) CSIT 15078 — Skipper Implant
• (S//NF) Symantec — Evolution of Ransomware
• (S//NF) CSIT 15079 — Cozy Bear
• (U) McAfee DLL Hijack — PoC Report
• (U) HeapDestroy – DLL Rootkit — PoC Report
• (S//NF) TW — WildNeutron
• (S//NF) NMehta — Theories on Persistence
• (S//NF) CERT-EU — Kerberos Golden Ticket
• (S//NF) VB Dridex 2015 — Dridex
• (S//NF) Symantec — Black Vine
• (S//NF) CSIR 15005 — Stalker Panda
• (S//NF) CSIT 15016 — Elirks RAT
• (S//NF) Eset — Liberpy
• (S//NF) Eset — Potao
• (U) Sinowal Web Form Scraping — PoC Report
• (S//NF) MIRcon — Something About WMI
• (U) PoC Report — Anti-Debugging and Anti-Emulation
• (S//NF) SY 2015 — Butterfly Attackers
• (S//NF) Symantec — ZeroAccess Indepth
• (S//NF) CI 2015 — PlugX 7.0
• (U) Mimikatz Password Scanning Analysis — PoC Report
• (S//NF) TrendMicro — Understanding WMI Malware
• (S//NF) CanSecWest 2013 — DEP/ASLR Bypass Without ROP/JIT
• (U) Software Restriction Policy: A/V Disable — PoC Report
• (U) WMI Persistence Proof of Concept — Supplemental Report
• (U) Mimikatz PoC Report
• (U) Pony / Fareit PoC Report
• (U) SIRIUS Pique Proof-of-Concept Delivery — User-Mode DKOM — Final PoC Report
• (U) SIRIUS Pique Proof-of-Concept Delivery — Direct Kernel Object Manipulation (DKOM) — Interim PoC Report
• (U) Direct Kernel Object Manipulasiton (DKOM) — Proof-of-Concept (PoC) Outline