Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
o Configuration is the NVRAM variable that NightSkies uses to store its
configuration.
The name of this variable is in the file config.name.
The GUID of this variable is in the file config.guid.
The default configuration is described in the file config.plist.
3.2 System Concepts and Capabilities
DarkSeaSkies is an EFI implanted beacon (NightSkies) that is run in coordination with
the SeaPea root-kit. All files, network connections, and processes associated with the
NightSkies beacon are hidden by the SeaPea root-kit. The beacon and root-kit remain
persistent across OS reboots, upgrades, and reinstalls. All files associated with
DarkSeaSkies remain off disk with the following exception: during each boot NightSkies
is written to disk in the /tmp directory in order to be executed, it is then securely deleted.
Beacon transmissions by NightSkies occur only when a configurable time has elapsed
and the target user is browsing with Safari or Firefox. The command and control beacon
data is encrypted in an HTTP GET/POST request or response.
3.3 Prerequisites
Refer to NightSkies User Guide.
3.4 Equipment Familiarization
Refer to NightSkies User Guide.
4. Operation
4.1 Configuration
DarkSeaSkies has the following configuration parameters. The values for a deployment
are in the file config.plist unless specified otherwise.
NightSkies encryption pass phrase. This value is saved in lp.password.
Enable date: date after which implant is enabled.
Default caution Limit: maximum number of cautious boots before uninstall.
Beacon URL: This is the URL the beacon will attempt to download.
Client ID: this is a unique identifier for the implant.
"Magic Link" String: as part of beaconing, the implant will look for this string in
the php file in order to retrieve tasking.
Uninstall Interval: Time interval since last successful LP communication before
uninstall.
Minimum Delay between beacons in seconds.
Failsafe attempt: beacon with out network checks.
Maximum Delay: if failsafe is enabled, this is the maximum amount of time in
seconds we wait before attempting a failsafe beacon.
Applications used to detect activity.
darkmatter+darkmatter+docs+DarkSeaSkies 1.0 User Manual_Rev New_2009-01-26.doc
3
SECRET//NOFORN