WikiLeaks recently leaked some files as part of its Vault 7 series, that contained user manuals for two malware called, Assassin and AfterMidnight. According to the documents, these viruses belong to the CIA.
— WikiLeaks (@wikileaks) May 12, 2017
What is AfterMidnight?
Unlike the recent NSA tool used in the WannaCry attacks, AfterMidnight is somewhat harmless and does not include major privacy breaches. As per the user manual, AfterMidnight acts as a DDL file which executes itself while the user’s PC is rebooting. It then establishes a connection with its command-and-control center from which it downloads various modules to execute.
According to the documents, AfterMidnight has three modules which it downloads on an infected device. One is the module that enables data exfiltration. Another module is used for software subversion while the last module acts as an enabler of all the other modules along with providing internal services.
Among these, the module which subverts software is perhaps the most annoying for users. This is because the module has the capability of killing or delaying processes and has configurations that are executed in a very controlled manner, designed to prompt the user to do certain tasks.
For instance, the manual included instructions on how an attacker can develop the malware and affect a user’s browser so that he or she cannot work on it. This means that by preventing the user from using their browsers, they will be forced to work on other applications and in the meanwhile, AfterMidnight can keep gathering relevant information.
Another functionality of AfterMidnight is rather amusing as it allows the operator to block around 50% of the resources in Microsoft PowerPoint. What is more interesting is the wording used in the user manual which implies that people using PowerPoint deserve it.
What is Assassin?
AfterMidnight’s counterpart, the Assassin, is a malware that acts more like a backdoor Trojan. Essentially, the malware has a builder, an implant, a command-and-control center along with a listening post. The implant lets the malware collect and exfiltrates data on a PC running Windows.
Also, according to the leaked documents, the CIA stated that the malware would not store more than 16,384 files so as to stop the malware from being overused. It is, therefore, a sort of a cyber espionage malware that allows the CIA to spy on users.
It is no surprise that government agencies have software that can effectively affect civilians. However, what is more, troubling is the fact that these agencies have not been able to protect such data which can potentially harm a number of users if gone into the wrong hands.
Since the WannaCry incident, agencies should be more cautious and should implement proper procedures to safeguard their confidential pieces of software.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.