Industry News

WikiLeaks Vault 7 blows cover of hard-to-detect CIA Angelfire implant

Less than a week after it published another round of secret documents on the CIA’s hacking arsenal, whistle-blowing site WikiLeaks is out with a new disclosure in the Vault 7 series – the Angelfire project.

WikiLeaks describes Angelfire as an implant made up of five key components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system. Some are designed to inject the others, some are designed to erase Angelfire’s tracks, and others are pure malware.

Angelfire, a persistent framework that can load and execute custom implants, targets older versions of the Windows operating system (i.e. Windows XP and Windows 7). Here’s a summary of how Angelfire works:

Solartime – responsible for modifying the partition boot sector so Windows unknowingly loads and executes the Wolfcreek implant while it attempts to load boot time device drivers

Wolfcreek – once executed, can load and run other Angelfire implants

Keystone – part of the Wolfcreek implant; responsible for starting “malicious user applications;” leaves very little forensic evidence that the process ran; purports as “C:\Windows\system32\svchost.exe”

BadMFS – a custom library designed to implement a covert file system; used to store all drivers and implants that Wolfcreek will start; avoids string or PE header scanning through encryption and obfuscation.

Windows Transitory File system – an alternate way of deploying Angelfire; allows an operator to create transitory files; allows specific actions (install, add, remove files).

“Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, [Angelfire] is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7),” according to the publication.

When WikiLeaks announced the start of the Vault 7 series in March, it said its source wished “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

A total of 22 disclosures have been made in the six months since the series started, with August alone seeing three leaks: CouchPotato (10 August); ExpressLane (24 August); and now Angelfire (31 August).

A particularly concerning disclosure was made in June, when WikiLeaks revealed how the CIA could (but didn’t necessarily) geo-locate any WiFI-enabled computer and deploy a malicious implant designed for eavesdropping.

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.

1 Comment

Click here to post a comment