WikiLeaks publishes CIA manuals for malware platform

WikiLeaks has published guides that provide insight into the so-called Grasshopper framework. This allows the CIA to house various payloads in Windows malware and tailor them to the target.

This concerns a total of 27 documents, including many files that bear the name user guide. According to WikiLeaks, Grasshopper is a framework for building malware. Thus, users can choose from different modules, which are then included in the malicious software. For example, one of the manuals states that ‘Grasshopper can be used to build a custom installation executable and run it on the target’s Windows computer’.

The installation of such executables “should only be loaded into memory and executed,” according to the manual. In addition, the executable files are suitable for x86 and x64 systems and take the form of dll files. The payloads are intended to remain on the target’s system and can be in different file formats. For example, by using certain instructions, a CIA employee can make the malware check for the presence of antivirus software.

In addition, it is possible to circumvent such software, according to WikiLeaks. Furthermore, the documents describe that one of the methods to permanently infect a system, called Stolen Goods, comes from the existing Carberp rootkit, which is used by criminals, among others. The CIA writes about this that the source code has been copied and adapted to meet the requirements of the intelligence service.

WikiLeaks’ current release follows previous publications, including that of the Marble framework, which appeared online a week ago. These are all from ‘Vault 7’, which contains documents about CIA practices.