CIA's “AngelFire” Modifies Windows' Boot Sector to Load Malware

Wikileaks on Thursday published documents detailing AngelFire, a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to load and execute implants on Windows-based systems.

Similar to other “Vault7” tools that Wikileaks unveiled over the past several months, such as Grasshopper and AfterMidnight, AngelFire is a persistent framework targeting computers running Windows XP and Windows 7.

According to the published documents, the framework consists of five components: Solartime, Wolfcreek, Keystone (previously called MagicWand), BadMFS, and the Windows Transitory File system.

Solartime was designed to modify the partition boot sector so as to load the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a self-loading driver that can load additional drivers and user-mode applications after execution. By loading additional implants, memory leaks that could be detected on infected machines are created.

Part of the Wolfcreek implant, Keystone is responsible for starting malicious user applications. The leaked documents also reveal that the implants are loaded directly into memory and they never touch the file system. The created processes are named svchost.exe and all of their properties are consistent with a real instance of svchost.exe, including image path and parent process.

BadMFS is a covert file system created at the end of the active partition and used to store (both encrypted and obfuscated) all drivers and implants launched by Wolfcreek. Some versions of the library can be detected because reference to it is stored in a file named “zf“.

The Windows Transitory File system was meant as a new method of installing AngelFire, allowing an operator to create transitory files (instead of laying independent components on disk) for actions such as installation, adding files to, or removing files from AngelFire. These transitory files are added to the ‘UserInstallApp’.

According to the AngelFire user guide, the tool features a small footprint and comes with two installer versions, namely an executable and a fire-and-collect .dll installer. The implant framework is compatible with the 32-bit Windows XP, and Windows 7, and 64-bit Windows Server 2008 R2 and Windows 7.

The tool is also plagued with a variety of issues, the leaked documents say, including the lack of support for .dll persistence on Windows XP, an imperfect heuristic algorithm, incorrectly configured SEH environment during driver load, or the inability to dynamically determine the path of svchost.exe, among others.

Related: WikiLeaks: CIA Secretly Collected Data From Liaison Services

Related: CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

Related: WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: