Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Athena Technology Overview
Athena is a beacon loader developed with Siege Technologies. At the core it is a
very simple implant application. It runs in user space and beacons from the srvhost
process. The following diagram shows the concept of operation.
Figure – (S//NF) Athena Concept of Operation
This document will describe some of the innovations incorporated into this tool. The
tool was designed to provide two unique tools while utilizing the same business
logic between each instance. The naming convention for these two tools are
Athena-Alpha and Athena-Bravo.
Persistence:
The implant hijacks a support DLL by the host application.
Athena-Alpha uses the RemoteAccess service. This service enumerates the
registry to find an IP support dll called iprtrmgr.dll. By forwarding the export
functions to this original module, the implant will be loaded into srvhost every
time this service starts. By default, this service is disabled. The installation tool
will enable it.
Athena-Bravo uses the Dnscache service. This service enumerates the registry
to find a support dll called dnsext.dll. This extension is new for Windows 7 & 8
and is not available in legacy OSs. By default, this service is active.
Unfortunately, Microsoft has changed the srvhost that is not running as SYSTEM.
The installer must update the srvhost list to allow it to be included in a SYSTEM
srvhost with the correct privileges. The tool will have limited security access to
the system until a reboot.
DLL FORWARDING: The target DLLs export a small number of functions and the
implant dll forwards those function calls to the original DLL at startup time. This
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh