Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
2 Key Features
Close Access Installation
The EXTENDING implant can be installed using a Close Access method. The
EXTENDING installer is loaded onto a USB stick. This USB stick is then inserted into the
target SAMSUNG F Series TV, and the installer is run. The installer deploys the implant
and Settings file onto the TV. EXTENDING begins to run when the TV is next powered on.
Close Access Uninstall
The EXTENDING implant can be uninstalled either by Close Access installation, or at a
pre-configured time. To remove by Close Access, a USB stick must be loaded with a
certain file, containing a certain string, as set in the configuration file. When this USB is
inserted into the TV, the implant uninstalls.
Close Access Audio File Retrieval
The EXTENDING implant can exfiltrate audio files to a USB stick. To exfiltrate files by
Close Access, a USB stick must be loaded with a certain file, containing a certain string, as
set in the configuration file. When this USB is inserted into the TV, files are copied onto it.
Remote Audio File Retrieval
The EXTENDING implant can exfiltrate audio files over a Wi-Fi hotspot. To exfiltrate files
over a Wi-Fi hotspot, the hotspot must be setup within range of the TV with a pre-
configured SSID, set in the config file. Files are then exfiltrated over this Wi-Fi network to a
server as configured in the configuration file.
Live Audio Listening
The EXTENDING implant also exfiltrates audio over a Wi-Fi hotspot, to a Live Listening
Tool, running on a laptop. The Live Listening Tool can save files locally to disk as well as
playing the received audio through the speakers.
Fake-off Recording
EXTENDING will continue to record audio, even whilst the TV appears to be off. This is
achieved by intercepting the command for the TV to switch-off and turning off the TV
screen, leaving the processor running.
4