Achilles

2017: WikiLeaks published documentation

At the end of July, 2017 the WikiLeaks portal published a new portion of documents to cyberespionage tools of CIA. This time it is about the management for programs under the code names Achilles, Aeris and SeaPea.^[1]

Achilles represents the utility for "troyanization" of files of installation of applications under macOS — DMG. ^[2]

WikiLeaks published documentation to spywares of CIA for macOS and Linux

According to the provided description, this utility allows "tie" any executable file to an installer of DMG for one-time start. 

If the owner of the attacked machine starts such DMG file, then both the original application, and the added harmful component then harmful addition from the DMG file is removed that it could not be analyzed are established. It is quite typical for cyberespionage transactions.

The second harmful tool — Aeris — represents an implant for operating systems of the POSIX standard.^[3]

According to the provided documentation, Aeris is written on C and works under the following operating systems: 

• Debian Linux 7 (i386)
• Debian Linux 7 (amd64)
• Debian Linux 7 (ARM)
• Red Hat Enterprise Linux 6 (i386)
• Red Hat Enterprise Linux 6 (amd64)
• Solaris 11 (i386)
• Solaris 11 (SPARC)
• FreeBSD 8 (i386)
• FreeBSD 8 (amd64)
• CentOS 5.3 (i386)
• CentOS 5.7 (i386)

Aeris task, judging by its functionality, is collecting and data output via the encoded TLS channels. 

In what way data are collected, in the document it is not explained. It can mean that Aeris is only one link of the whole chain of the malware used for a compromise of systems, identification of the necessary data and their output. 

SeaPea, in turn, represents the rootkit for OS X functioning at the kernel level and providing the steady presence at a system between resets. SeaPea is also capable to hide files and folders, to start some processes and to initiate socket-connections.^[4]

The manual to SeaPea was already issued together with the description of other tools for infection of MacOS X and iOS earlier. The document belongs to 2011, i.e. is already quite old. SeaPea is tested on two the outdate versions of Mac OS X long ago – 10.6 and 10.7. The relevant index of a system — 10.12. Whether SeaPea works at it and whether there are newer versions – it is unknown.

MacOS X and Linux have reputation of more secure systems, than Windows. However, as we see, espionage tools exist also for them. Any software is vulnerable to serious professionals — Georgy Lagoda, the CEO of SEC Consult Services company says. — Another thing is that operating systems evolve, and over time old tools are in parts or in full inefficient. It is possible that the "merged" tools just ceased to meet needs of his operators.

WikiLeaks publishes documentation to cyberespionage tools of CIA within the campaign Vault 7. Documentation presumably was stolen by hackers and insiders though it is known only according to administrators of a resource.

While on Wikileaks only the documents describing the malware of CIA give all the best, the Shadow Brokers grouping publishes the tools which were presumably used by the U.S. National Security Agency from time to time. As well as in a case with WikiLeaks, remains to unknown how these tools were at the disposal of Shadow Brokers. The fact, however, that these tools are to a large extent still quite efficient.

Notes