Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
5.1 Transports
Assassin may be configured to communicate using one or more transports. A
transport configuration consists of a listening post, a try value, a communication
protocol, and protocol-specific options.
The Implant is configured with an ordered list of transports. The Implant will
attempt to beacon using a transport the configured number of tries before
switching to the next transport in the list, or the first if the list has been
exhausted.
HTTPS
Assassin supports communication over the Hypertext Transfer Protocol Secure
(HTTPS). The Implant communicates with the listening post via GET and POST
requests using the WinInet API. User agent strings identify the Implant
communications as originating from a Mozilla Firefox browser.
Port Customization
The HTTPS transport allows the operator to select the TCP port on the
listening post to which the Implant should attempt to connect. HTTPS traffic is
typically directed at a web server’s port 443.
URL Randomization
The HTTPS transport randomizes the URL used during Implant
communications, including both the path and filename components.
The path of the URL is randomized by selecting one of a set of path
components provided in the transport configuration. If no path components
are provided, a path is randomly generated from between three and eight
alphanumeric characters.
The filename of the URL is an encoded string of at least sixteen alphanumeric
characters that is composed of the Implant ID and a nonce used to obfuscate
the ID.
Proxy Support
The HTTPS transport supports the optional use of proxy credentials for
communication. A username and password, when provided to the transport
configuration, will be used to validate with the network proxy during
communications using the transport.
WebDAV
Assassin supports communication over the Web-based Distributed Authoring and
Versioning (WebDAV) protocol. The Implant communicates with the listening post
by mounting the server as a share and copying files from the local to the remote
file system, or vice versa. The transfer of files between the local and remote file
systems is carried out by the Windows WebClient service.
OS Requirement
38
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh