As if the WannaCry ransomware based on a vulnerability stolen from the NSA wasn’t enough, this weekend WikiLeaks revealed an exploit being used by the CIA against any Windows version out there and capable of taking control of the targeted system. – WikiLeaks Reveals Athena, CIA Malware Targeting All Windows Versions
Codenamed Athena, the CIA project can compromise absolutely any Windows version on the market, starting with Windows XP and ending with Windows 10, providing attackers with capabilities like deploying other malware and access to local files should they want to drop certain data on the drives.
“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system. It allows the operator to configure settings during runtime (while the implant is on target) to customize it to an operation,” WikiLeaks says.
This basically means that the CIA can pretty much have full control of a Windows system, retrieve any data from the target computer and upload it to its own servers.
Athena was created in August 2015, which means the CIA got its hand on the exploit only a month after the launch of Windows 10 in July the same year.
Bypassing antivirus software
The malware wasn’t developed by the CIA itself, but as part of a collaboration with a US-based company called Siege Technologies and which describes itself as a cyber security company that’s focused on “offensive cyberwar technologies.”
Project Athena was developed from the very beginning to bypass antivirus systems, with the CIA documentation including references to widely popular solutions, which according to the agency cannot block the exploit.
“The installation will hijack the DNS cache service,” the user manual of Athena reveals. “On Windows 7 and 8, this service is running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs as Network Service. The Network Service user context has reduced security capability on the system. Due to srvhost implementation, the service will only run in the netsvcs context at next reboot. To account for this deficiency and still provide immediate execution after installation, the existing service will run as Network Service until next reboot at which time the System user netsvcs will be engaged.”
At this point, it’s not clear if Microsoft has already delivered patches against the exploit, but we’ve reached out to the company to ask for more information. Neither Microsoft nor the CIA released comments on the latest leak published by WikiLeaks.
By Bogdan Popa