Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #3375506
Caterpillar
Caterpillar Design
Requirements
Refer to Caterpillar v1.0 User Requirements Document (URD) IMIS: 2014-0638 Revision K January 30, 2014.
Use cases
Use Case 0: Operator exfiltrates a file.
Use Case 1: Operator exfiltrates arbitrary bytes of a file.
Use Case 2: Operator exfiltrates a glob.
Use Case 3: Operator resumes an aborted exfiltration.
Public interfaces
Low-side client
WinShell interface
TBD.
ICE interface
Will implement the Fire and Forget mode.
High-side postprocessor
TBD.
Compile-time parameters
Low-side client
Name | Type | Description | Default |
---|---|---|---|
ticks_per_packet | Integer | Amount to increment RTP timestamp | 1000 |
High-side postprocessor
TBD.
Runtime parameters
Low-side client
A resource will convey runtime parameters.
Name | Type | Description | Default |
---|---|---|---|
subject_globs | String[] | Absolute filenames with globbing, supporting environment variables |
C:\data.txt |
caterpillar_chunksize | Unsigned Integer | Outer Caterpillar subject chunk size (B) | 1045876 (1 MB) |
caterpillar_packetsize | Unsigned Integer | Maximum Size of RTP payload (B) | ??? |
exfiltration_rate | Unsigned Integer | Bits per second | 1045876 (1 Mbps) |
state_filename | String | Absolute filename to persist state, supporting environment variables | C:\state.txt |
instance_identifier | Unsigned Integer | Deconflicts concurrent sessions | 0 |
begin_index | Signed LongLong | Subject begin offset (modulo filesize, inclusive, B) | 0 |
end_index | Signed LongLong | Subject end offset (modulo filesize, inclusive, B) | -1 |
destination_ip | String | Destination IP | 192.168.100.100 |
High-side postprocessor
TBD.
Exfiltration algorithm
- Open or initialize state file.
- Open UDPUser Datagram Protocol socket.
- Iterate over subject globs.
- Iterate over subject glob members.
- Consult state file.
- If new subject file, create an entry in the state file and set START_CHUNK to 0.
- If previously completed subject file, break.
- If previously attempted subject file, set START_CHUNK to last sent chunk + 1.
- Generate file metadata.
- Virtually prepend file metadata to subject file.
- Iterate over chunks of enhanced subject file, beginning at START_CHUNK.
- Generate chunk metadata.
- Virtually prepend chunk metadata to chunk.
- Raptor the enhanced chunk, receiving one or more raptor packets in return.
- Iterate over raptor packets.
- Generate packet metadata.
- Virtually prepend packet metadata to packet.
- Generate RTP header.
- Virtually prepend RTP header to enhanced packet.
- Determine actual exfiltration rate.
- Pause until actual falls below provisioned exfiltration rate.
- Send covered, enhanced packet via UDPUser Datagram Protocol socket.
- Increment last sent chunk for this subject file in state file.
- Mark subject file complete for this subject file in state file.
- Consult state file.
- Iterate over subject glob members.
- Close state file.
Packet format
The Caterpillar low-side client will prepare a packet comprising an RTP header, packet metadata and raptored chunk metadata, file metadata and subject payload.
Basic strategy
given SUBJECT_FILE
ENHANCED_SUBJECT_FILE = FILE_METADATA(SUBJECT_FILE) + SUBJECT_FILE
CHUNKS = CHUNK(ENHANCED_SUBJECT_FILE)
ENHANCED_CHUNKS[i] = CHUNK_METADATA(CHUNKS[i]) + CHUNKS[i]
PACKETS[i] = RAPTOR(ENHANCED_CHUNKS[i])
ENHANCED_PACKETS[i][j] = PACKET_METADATA(PACKETS[i][j]) + PACKETS[i][j]
COVERED_PACKETS[i][j] = RTP_HEADER + ENHANCED_PACKETS[i][j]
subject file |
||||||||||||||
file |
subject file |
|||||||||||||
chunk 0 |
... | chunk k |
||||||||||||
chunk 0 metadata |
chunk 0 | ... | chunk |
chunk k |
||||||||||
packet 00 |
... | packet 0m |
... | packet k0 |
... | packet km |
||||||||
packet 00 metadata |
packet 00 |
... | packet 0m metadata |
packet 0m |
... | packet k0 metadata |
packet k0 |
... | packet km metadata |
packet km |
||||
RTP |
packet 00 metadata |
packet 00 |
... | RTP header |
packet |
packet 0m |
... | RTP header |
packet k0 metadata |
packet k0 |
... | RTP header |
packet km metadata |
packet km |
The purpose of the RTP encapsulation is deception. We use 53 for the payload type because it is in the middle of the longest series of unassigned values. The complete list is: [20, 24], 27, 29, 30, [35, 71] and [77, 95].
Offset (b) | Length (b) | Name | Value |
---|---|---|---|
0 | 2 | Version | 2 |
2 | 1 | Padding | 0 |
3 | 1 | Extension header present | 0 |
4 | 4 | Contributing source (CSRC) count | 0 |
8 | 1 | Marker | 0 |
9 | 7 | Payload type | 53 |
16 | 16 | Sequence number | 1-up counter |
32 | 32 | Timestamp | ticks_per_packet-up counter |
64 | 32 | Synchronization source (SSRC) | 0x00000000 |
96 | CSRC count * 32 | CSRC list | N/A |
96 + CSRC count * 32 | variable | Extension header | N/A |
The purpose of the packet metadata is to document the chunk reassembly. File ID is a hash of the file name.
Offset (B) | Length (B) | Name |
---|---|---|
0 | 4 | Instance ID |
4 | 4 | File ID |
8 | 4 | Chunk ID |
The purpose of the chunk metadata is to document the file reassembly. File ID is a hash of the file name.
Offset (B) | Length (B) | Name |
---|---|---|
0 | 4 | Instance ID |
4 | 4 | File ID |
8 | 8 | File size |
16 | 8 | Chunk begin index (inclusive) |
24 | 8 | Chunk end index (inclusive) |
The purpose of the file metadata is to document the operation.
Offset (B) | Length (B) | Name |
---|---|---|
0 | 4 | Instance ID |
4 | 8 | Exfiltration time (Windows File Time format) |
12 | 8 | File begin index (inclusive) |
20 | 8 | File end index (inclusive) |
28 | 4 | File name size (in bytes) |
32 | Variable | File name (utf-8 encoded) |
Globbing
Globbing is pattern-matching based on wildcard characters; it is not a regular expression capability. Globbing operators are not standardized: Caterpillar will use the WinAPI implementation of globbing, specifically calls to FindFirstFile() and FindNextFile().
Obfuscating the metadata
We considered symmetric-key XOR, RC4 and AESAdvanced Encryption Standard techniques for obfuscating the metadata. The first iteration will use XOR with an eight bit symmetric key, and we can upgrade to a stronger mechanism in a later iteration. This capability cannot be considered encryption because the key is present in the low-side client.