WikiLeaks: CIA’ CouchPotato Tool Remotely Collects Video Streams

WikiLeaks has released yet another CIA hacking tool as part of its Vault 7 series documents belonging to the American Central Intelligence Agency (CIA). This time, the whistleblowing platform has leaked the “User Guide for the CoachPotato project” of the agency work of which is to hack and obtain RTSP/H.264 video streams and still images remotely.

WikiLeaks: CIA' CouchPotato Tool Remotely Collects Video Streams

The project CouchPotato is different from Dumbo project details of which were released by WikiLeaks according to which CIA needs physical access to hack webcams on a targeted device. But in CouchPotato’s case, everything is done remotely.

According to the leaked documents:

“CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that is of significant change from a previously captured frame. CouchPotato utilizes FFmpeg for video and image encoding and decoding as well as RTSP connectivity. In order to minimize the size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of FFmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into FFmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”

A look at CouchPotato’s 11 pages user guide shows it is dated back to February 2014 and utilizes FFmpeg software. It is a free software project that produces libraries and programs for handling multimedia data. The agency uses the software for video and image encoding and decoding as well as RTSP connectivity.

”CouchPotato targets Windows OS”

The documents only detail about version CouchPotato 1.0, therefore, it is unclear if there is a version 2 out there or not. However, it uses a massive amount of CPU from a targeted device making the victim somewhat suspicious.

According to the user guide’s page 11:

“CPU usage of the process that CouchPotato is injected into can potentially be high depending on the number CPUs/Cores available. In development and testing, it was observed that on a Windows 7 64-bit VM allocated just one CPU core, the process that CouchPotato was injected into was using between 50-70% of available CPU while capturing images of significant change. Memory usage was between 45-50MB.”

Like previous CIA’s tools released by WikiLeaks, CouchPotato also targets devices using Windows operating system.

Vault 7 documents previously leaked by Wikileaks:

BothanSpy and Gyrfalcon: Steals SSH credentials from Linux & Windows devices
OutlawCountry and Elsa: Malware targeting Linux devices and tracking user geolocation
Brutal Kangaroo: CIA hacking tools for hacking air-gapped PCs
Cherry Blossom: CherryBlossom & CherryBomb: Infecting WiFi routers for years
Pandemic: A malware hacking Windows devices
AfterMidnight and Assassin: CIA remote control & subversion malware hacking Windows
Dark Matter: CIA hacking tool infiltrating iPhones and MacBooks
Athena: A malware targeting Windows operating system
Archimedes: A program helping CIA to hack computers inside a Local Area Network
HIVE: CIA implants to transfer exfiltrated information from target machines
Grasshopper: A malware payloads for Microsoft Windows operating systems
Marble: A framework used to hamper antivirus companies from attributing malware
Dark Matter: A CIA project that infects Apple Mac firmware
Highrise: An Android malware spies on SMS Messages
Aeris, Achilles, SeaPea: 3 malware developed by CIA targeting Linux and macOS
Dumbo Project: CIA’s project hijacking webcams and microphones on Windows devices.

Related Posts