WikiLeaks' Vault 7 revelations continue: Grasshopper is the CIA's Windows malware maker
The latest batch of documents published by WikiLeaks as part of its Vault 7 CIA series purportedly reveals the tools used by the agency to create malware for Windows. The Grasshopper framework is revealed in 27 documents, and they show how to create Windows installers with a malware payload.
Importantly, Grasshopper allows for the easy creation of custom malware delivery options, dependant on the operating system and virus protection detected on a target machine. The documents show that the CIA repurposed malware from Russian and Italian organized crime groups.
The Grasshopper framework appears to have been designed to not only be as easy to use as possible, but to be as flexible as possible. The documentation says that: "A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components. Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."
In a blog post announcing the availability of the document, WikiLeaks says:
Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption). The requirement list of the Automated Implant Branch (AIB) for Grasshopper puts special attention on PSP avoidance, so that any Personal Security Products like "MS Security Essentials", "Rising", "Symantec Endpoint" or "Kaspersky IS" on target machines do not detect Grasshopper elements.
One of the persistence mechanisms used by the CIA here is "Stolen Goods" -- whose "components were taken from malware known as Carberp, a suspected Russian organized crime rootkit." confirming the recycling of malware found on the Internet by the CIA. "The source of Carberp was published online, and has allowed AED/RDB to easily steal components as needed from the malware.". While the CIA claims that "[most] of Carberp was not used in Stolen Goods" they do acknowledge that "[the] persistence method, and parts of the installer, were taken and modified to fit our needs", providing a further example of reuse of portions of publicly available malware by the CIA, as observed in their analysis of leaked material from the italian company "HackingTeam".
It is not clear how recently the tools referenced in the documentation have been used by the CIA but, as WikiLeaks says, it does give "insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers."