Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
be ≥ Interval
Interval 0 min Time between task executions over Duration time
period
Kill At End False Whether Task Scheduler should terminate task at end
of Duration
Start Now True Whether the task should be started immediately
3 Payload Execution
Whenever Bermuda's scheduled task is triggered, the Windows Task Scheduler will
execute the task executable as SYSTEM. What the task executable is and what it
does depends on the payload type. Bermuda supports three kinds of payload: EXE,
DLL, GH1.
3.1 EXE
If the payload is an EXE, Bermuda uses the payload as the task executable. The
Windows Task Scheduler will start the payload directly, optionally passing command
line arguments.
An EXE payload is responsible for deleting itself from the target. The task will not
be removed.
3.2 DLL
If the payload is a DLL, Bermuda deploys a stub as the task executable. During
installation, the stub is configured with the path to the payload and the name of the
task that starts it. Upon execution by the Task Scheduler, the stub will load the
payload DLL.
If the stub is unable to locate or start the payload, it will uninstall. During
uninstallation, Bermuda will delete the payload, remove the scheduled task, and self
delete the stub.
A DLL payload is responsible for deleting itself from the target to trigger
uninstallation.
3.3 GH1
If the payload supports the GH1 interface, Bermuda deploys a stub as the task
executable. During installation, Bermuda embeds the payload as a resource in the
stub and configures the stub with the name of the task that starts it. Upon
execution by the Task Scheduler, the stub will load the payload DLL in memory.
The stub will uninstall the payload on demand or failure to start the payload. During
uninstallation, Bermuda will remove the scheduled task and self delete the stub and
payload.
4 Footprint
Bermuda writes unobfuscated binaries to the target filesystem. If the payload is an
EXE, it is written to a user-specified location. If the payload is a DLL, both the
payload and a Bermuda stub are written to user-specified locations. If the payload
implements GH1, the payload is embedded as a resource in a Bermuda stub, which
is written to a user-specified location.
4
SECRET//ORCON//NOFORN