How the CIA caused the rain: using Rain Maker to gather information from closed objects
The sensational news about the leak of the CIA archive was most often presented in the context of what the US secret service could overhear, spy, and learn about us from phones, computers and even televisions. We bring to your attention information about one of their projects with the unusual name Rain Maker. It is a set of utilities aimed at the hidden collection of information on the object under study, not connected to the Internet. The agent receives a special USB flash drive with music and a portable VLC-player, connects it to the victim's computer and quietly works with modern hits. When finished, sends the flash drive with the encrypted data hidden on it to the coordinator, who sends it to the center for decryption. How is this technically implemented?
* From the CIA archive to this project. The agents also have humor!
Let's skip the stage of special preparation of the flash drive (we will reveal it a little later) and start with what happens when the user starts vlc.exe from this media.
First of all, the player reads the file with its xml-manifest in order to understand if there are any additional dependencies that need to be loaded. There, the call of the supposedly standard library psapi.dll (process status application programming interface) is pre-registered, but its analog stub is launched, which then redirects requests to the original library. In addition to the important function of redirection, the stub determines whether it is necessary to activate the main functionality of the spyware program or still do not give out. To do this, the fact of launching the file from the “prepared” flash drive (and not from other media) is checked by checking the hard-wired serial number of the disk volume and the number of the media on which the program runs. Thus, the "spy" will not reveal itself if it is transferred somewhere.
')
This example is also interesting because the CIA has great experience in loading payload and ensuring persistense. There is no need to think every time how to do this - there is a special library and even recommendations on how to ensure the resistance of the malware to detection. For example, advice is given to use standard functions for loading the LoadLibrary library, and the loader must correctly process all exit statuses in accordance with MSDN. Fulfillment of such rules takes time and it happens that such things are simply ignored by blackhat-developers.
However, attacks of this type are known. A description of the principle of implementing such a side-by-side attack is available here . There is a chance that if the real file of this software got into the sandbox, it would be revealed. However, there is still a human factor: would the administrator pay attention to the recommendation from the sandbox?
If the dll stub was launched from the correct media, it converts the serial number into an AES key and decrypts the main library of the Rain Maker DLL and loads it in a separate thread as part of the main VLC process. Moreover, the stub installs mutex in the OS, so that the main payload does not start several times to avoid errors in its operation.
A new piece of malware, just created from “out of nowhere”, checks how long it has been running on this computer, requesting its name and current time, and comparing the md5 hash of the name with the saved ones. If 7 days have not passed, then the program will not search for new files on the computer, if it did not start or did not work for a long time (7 or more days), then it will proceed to the next steps. The program keeps information secretly in NTFS streams. This technique is not new, but effective, especially since, apparently, the CIA has already written libraries to work with them - you just need to call the correct function DTNtfsAds_BK (wchar_t * filenameToAppendADS), connecting the library in advance, so the developer in the team does not even need to think how to use it. This is once again confirmed by the simplicity of the guide for beginners. The data is written to the stream [drive_disc_displaced_flashki]: \\: $ DataIdN
As soon as the program has determined that there is enough disk space to prevent the flash drive from overflowing and not interfere with listening to music to the agent, it starts collecting files on the configuration pre-wired into it. For example, you could configure the package before uploading as follows:
Where:
-t TargetDirectories.txt - a list of directories on the target computer where to look for files
-e * .docx; *. doc; *. xls; *. xlsx; *. pdf — types of files to copy
-f 23 - the percentage of free space that should remain on the flash drive
-vlc E: \ vlc-2.1.5 \ vlc.exe - VLC executable file that is stitched with malware
-r plugins \ access \ customplugins.dat - the storage location for the encrypted data container
-p RainMaker_PubKey.pem - path to the certificate, whose public key will protect the data in the container until the transfer of the media back to the CIA and their decryption using the private key, which is not issued to the agent.
Thus, information about which files were collected and what their contents are, remains closed until the moment of decryption and is not protected from disclosure if the media is in the wrong hands or data from the media will be copied to another media. Most likely, such an attack vector was used to gather information in closed networks where there is no access to the Internet. Unfortunately, there is no way to verify the truthfulness of the data published in the Wikileaks archive, especially since no one published the source codes of the tool, but the description of the attack script from the “internal CIA portal” looks quite plausible and should be considered as an actual way of penetration for such specific objects.
Yuri Sergeyev, Jet Information Systems Information Security Center.
* From the CIA archive to this project. The agents also have humor!
Running malware
Let's skip the stage of special preparation of the flash drive (we will reveal it a little later) and start with what happens when the user starts vlc.exe from this media.
First of all, the player reads the file with its xml-manifest in order to understand if there are any additional dependencies that need to be loaded. There, the call of the supposedly standard library psapi.dll (process status application programming interface) is pre-registered, but its analog stub is launched, which then redirects requests to the original library. In addition to the important function of redirection, the stub determines whether it is necessary to activate the main functionality of the spyware program or still do not give out. To do this, the fact of launching the file from the “prepared” flash drive (and not from other media) is checked by checking the hard-wired serial number of the disk volume and the number of the media on which the program runs. Thus, the "spy" will not reveal itself if it is transferred somewhere.
')
How persistense is provided
This example is also interesting because the CIA has great experience in loading payload and ensuring persistense. There is no need to think every time how to do this - there is a special library and even recommendations on how to ensure the resistance of the malware to detection. For example, advice is given to use standard functions for loading the LoadLibrary library, and the loader must correctly process all exit statuses in accordance with MSDN. Fulfillment of such rules takes time and it happens that such things are simply ignored by blackhat-developers.
However, attacks of this type are known. A description of the principle of implementing such a side-by-side attack is available here . There is a chance that if the real file of this software got into the sandbox, it would be revealed. However, there is still a human factor: would the administrator pay attention to the recommendation from the sandbox?
If the dll stub was launched from the correct media, it converts the serial number into an AES key and decrypts the main library of the Rain Maker DLL and loads it in a separate thread as part of the main VLC process. Moreover, the stub installs mutex in the OS, so that the main payload does not start several times to avoid errors in its operation.
Data collection
A new piece of malware, just created from “out of nowhere”, checks how long it has been running on this computer, requesting its name and current time, and comparing the md5 hash of the name with the saved ones. If 7 days have not passed, then the program will not search for new files on the computer, if it did not start or did not work for a long time (7 or more days), then it will proceed to the next steps. The program keeps information secretly in NTFS streams. This technique is not new, but effective, especially since, apparently, the CIA has already written libraries to work with them - you just need to call the correct function DTNtfsAds_BK (wchar_t * filenameToAppendADS), connecting the library in advance, so the developer in the team does not even need to think how to use it. This is once again confirmed by the simplicity of the guide for beginners. The data is written to the stream [drive_disc_displaced_flashki]: \\: $ DataIdN
As soon as the program has determined that there is enough disk space to prevent the flash drive from overflowing and not interfere with listening to music to the agent, it starts collecting files on the configuration pre-wired into it. For example, you could configure the package before uploading as follows:
RainMakerConfigurator.exe -t TargetDirectories.txt -e *.docx;*.doc;*.xls;*.xlsx;*.pdf; -f 23 -vlc E:\vlc-2.1.5\vlc.exe -r plugins\access\customplugins.dat -p RainMaker_PubKey.pem Where:
-t TargetDirectories.txt - a list of directories on the target computer where to look for files
-e * .docx; *. doc; *. xls; *. xlsx; *. pdf — types of files to copy
-f 23 - the percentage of free space that should remain on the flash drive
-vlc E: \ vlc-2.1.5 \ vlc.exe - VLC executable file that is stitched with malware
-r plugins \ access \ customplugins.dat - the storage location for the encrypted data container
-p RainMaker_PubKey.pem - path to the certificate, whose public key will protect the data in the container until the transfer of the media back to the CIA and their decryption using the private key, which is not issued to the agent.
Summary
Thus, information about which files were collected and what their contents are, remains closed until the moment of decryption and is not protected from disclosure if the media is in the wrong hands or data from the media will be copied to another media. Most likely, such an attack vector was used to gather information in closed networks where there is no access to the Internet. Unfortunately, there is no way to verify the truthfulness of the data published in the Wikileaks archive, especially since no one published the source codes of the tool, but the description of the attack script from the “internal CIA portal” looks quite plausible and should be considered as an actual way of penetration for such specific objects.
Yuri Sergeyev, Jet Information Systems Information Security Center.
Source: https://habr.com/ru/post/324920/
All Articles