Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1. (U) Scope
(S//NF) This document is the User Manual for Stolen Goods v2.0, a persistence method
for the Grasshopper installer. It provides a description of how Stolen Goods works, the
payloads Stolen Goods can persist, and how to use Stolen Goods with Grasshopper.
(S//NF) Stolen Goods 2.0 is fundamentally different from Stolen Goods 1.0. This user
guide will not include information about Stolen Goods 1.0. Please see the original Stolen
Goods 1.0 user guide for all 1.0 information. All information contained here is in
reference to Stolen Goods 2.0 only.
2. (U) Overview
2.1 (U) Stolen Goods Tool Description
(S//NF) Stolen Goods 2.0 (SG2) is a persistence module for Grasshopper based on
components from 3
rd
party malware. The components were taken from malware known
as Carberp, a suspected Russian organized crime rootkit. The source of Carberp was
published online, and has allowed AED\RDB to easily steal components as needed from
the malware. Most of Carberp was not used in Stolen Goods 2, specifically all the Bot
net/Comms components. The persistence method, and parts of the installer, were taken
and modified to fit our needs. All components taken from Carberp were carefully
analyzed for hidden functionality, backdoors, vulnerabilities, etc.
(S//NF) Stolen Goods 2 maintains persistence by installing custom Initial Program
Loader (IPL) code found in the Volume Boot Record (VBR, also known as the Partition
Boot Record or PBR). Using a series of function hooks, SG2 is able to maintain
execution along the Windows boot sequence, when at one point it loads a stub driver into
the system to maintain code execution after the boot process is finished. The stub driver
borrows some ideas and components from the original Carberp source, but most of the
stub driver has been rewritten by RDB.
(S//NF) SG2 is able to persist two different payloads at once: a DLL payload (GH1 or
Persistence Spec compliant) and a driver payload (JediMindTricks/AncientProtector
specifically). The driver payload does not//not need to be signed at all, even on 64-bit
Windows systems.
2.2 (U) Dependencies
(S//NF) SG2 requires Grasshopper for configuration and installation. This document
assumes the user has a working Grasshopper build (along with all of Grasshopper's
dependencies).
(S//NF) SG2 also has the ability to be launched through a kernel shellcode install module
included in the latest version of ShellTerm (2.8+). This method installation is easier to
configure compared to Grasshopper, but does not contain many of the safety checks
SECRET//NOFORN
- iv -