Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Component Library
The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware. The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications.
This page organizes this collection based on its functionality and captures relevant technical information. When possible, each item should include a working example of the technique (and/or pointer to code in the SVN repository), documentation describing application of the technique, and notes concerning our use of these techniques in delivered tools.
Data Collection Components
Component Reuse | Source | |
---|---|---|
DirectInput Keylogger | None | Known Malware |
Internet Explorer Password Collection | None | Known Malware |
SetWindowsHookEx WH_KEYBOARD and WH_KEYBOARD_LL Key Logger | UNKL 1.0/2.x | Known Malware |
Webcam Capture | None | Known Malware/Public Samples |
Windows API Keyloggers | None | Known Malware |
Data Destruction Components
Component Reuse | Source | |
---|---|---|
Wiped Locked Files | Rebound 1.0 | Shamoon |
Persistence Components
Component Reuse | Source | |
---|---|---|
Image File Execution Options | None | (Autoruns) |
OCI.DLL Service Persistence | None | HiKit Rootkit |
Shell Extension Persistence | Stepstool | Public Source Sample |
Windows FAX DLL Injection | Sandshark, UNKL | Known Malware |
Privilege Escalation Components
Component Reuse | Source | |
---|---|---|
Elevated COM Object UAC Bypass (WIN 7) | Sandshark | Public Sample |
PSP/Debugger/RE Avoidance Components
Component Reuse | Source | |
---|---|---|
Anti-Sandboxing: Wait for Mouse Click | None | Upclicker |
API Memcpy | None | Known Malware (Nuclear Exploit Pack) |
Debug Print Debugger Detection | None | Public Source Examples, FineReader |
MBR File Handle | StolenGoods | Known FIO Tool |
Process Hollowing | None | Known Malware |