WikiLeaks has released the latest Vault 7 data dump, detailing a new CIA hacking tool targeting Windows operating systems (OS). According to the documents leaked by the whistleblowing organisation, the CIA hacking tool, dubbed Angelfire was developed to infect and spy on Windows systems. WikiLeaks leaked the alleged user guide of Angelfire, which details that it functioned as a CIA malware framework, targeting Windows XP and Windows 7.
According to the alleged leaked user guide, Angelfire is comprised of five different components — Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.
According to WikiLeaks' Vault 7 files, Solartime is a malware component designed solely to alter the Windows partition boot sector, which would allow the system to be infected with the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a key malware component as it can infect targeted devices with other Angelfire implants.
The Keystone implant, known previously as MagicWand, is a part of the Wolfcreek implant, according to WikiLeaks and is "responsible for starting malicious user applications". Keystone leaves little to no forensic evidence on infected systems. However, according to WikiLeaks, the implant can be detected in the Windows task manager, "if the operating system is installed on another partition or in a different path".
Bad MFS functions as a library, storing every implant and driver activated by Wolfcreek. Although some versions of BadMFS could be detected, in most cases, "all files are both encrypted and obfuscated" to help avoid detection.
The Windows Transitory File system acts as a new way to install AngelFire. The system allows CIA spies to create transitory files for specific actions, which include installing AngleFire, adding and/or removing files to and from the malware and more.
In comparison to other CIA hacking tools leaked by WikiLeaks, AngelFire does not seem to be all that sophisticated, since some of the malware's components could potentially be detected by security products.
WikiLeaks' latest Vault 7 dump comes hours after its site reportedly got hacked by the OurMine group.