Wikileaks Releases Mac, Linux and Unix Malware

In the continuing saga of Vault 7 – the leaking of CIA hacking tools, Wikileaks made Mac, Linux and Unix users feel welcome.  Instead of leaking Windows and Android malicious code, they leaked Mac, Linux and Unix tools instead.  I guess they are equal opportunity leakers.

In this case they just leaked the manuals so that people could understand what the tools do but not be able to do it themselves.

Tool number one is named Achilles.  Achilles is an interesting tool.  Lets say that you wanted to install a piece of malware but you didn’t want to be detected.  Achilles allows you to “bind” a payload executable to a Mac DMG files.  When the user runs the DMG file, it installs the appropriate software but adds a little extra – some malware of the CIA’s choosing.  But then – and this is the interesting part – it then unbinds the malware payload from the DMG file so that the next time it is used to install the product, all that user gets is the actual software.  Achilles generates what is called a one time payload.  This dramatically reduces the probability of being detected.  What this does not do is give you a way of getting the malicious package onto the target system.  That has to be done using a different tool.

Tool number two is called Aeris and that is for Linux or POSIX systems.  It runs on a variety of Linux or POSIX systems including Debian, Red Hat, Solaris, FreeBSD and CentOS.  This particular part of the hacking ecosystem is designed to exfiltrate data from the target system over an encrypted channel.  Collecting the data is left for some other tool in the toolbox.

Tool number three is called SeaPea and targets Mac OS X systems.  It is a rootkit, meaning that it is likely undetectable by normal anti-malware software and it persists across reboots.  It can also hide files, open network connections and launch other malicious code.  It dates back several years and was designed to work with OS X Snow Leopard and Lion.  That, of course, does not mean that it hasn’t been updated work with newer versions but rather “dates” when this documentation was stolen.

What this means is that, not surprisingly, the CIA wants to be able to hack any operating system – they are not counting on users running any OS in particular.

While the CIA folks are good, they are likely on par with other spy organizations – sometimes better than some and sometimes not as good as others.  We should assume that the other folks, both good and bad – Russia, China, Ukraine as well as Germany, England and Israel, for example – have similar abilities.

Given the continuing dribbling of software and documentation over months, it seems likely that Wikileaks is not done yet and will likely leak more.  What we don’t know is how much of the CIA’s hacking arsenal this is.  Is it 5 percent or 50 percent?  25 percent or 75 percent.  We don’t know and likely never will know.  My GUESS (and hope) is that it is on the lower range of possible percentages, but who knows.

What this does mean is that there is likely a huge number of security holes in a whole range of operating systems that have not been patched – ones that both the good guys and the bad guys are exploiting.  While I am not so concerned about the good guys, I am VERY concerned about the bad guys.

Information for this post came from Bleeping Computer.

by