Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
forwarding is performed by the loader when the dll loads so no proxy code is
required within the implant code. This approach allows the implant DLL to be
removed at startup and will not reside on the module list for the host srvhost. It is
not required to drop the implant in the SYSTEM32 directory because the paths are
defined in the registry.
Dynamic Loading:
The implant will load DLLs into the running process. Since the implant has a
custom loader, all business logic is built as a DLL (converted to an AXE file) and
loaded dynamically on-demand. The implant is made up of 4 modules (dll).
1) Host.dll – The host dll is the file that is dropped to disk and a reference is in the
registry. This file contains no command-and-control, encryption or obfuscation
logic. This file will simply load the Athena engine into memory. This file is very
small (<15K size) and has no eye catching exports and minimal heuristic
signature. It does dynamically load the function VirtualAlloc. It will load the
engine.axe file into memory and call ordinal #1.
2) Engine.AXE – The engine dll is the main loop for the implant. It contains all the
plumbing used by the implant:
a. encryption (wincrypt RSA and AES)
b. compression (zlib-Alpha and bzip-Bravo)
c. data masking (xtea-Alpha and AES-Bravo) – encryption on disk
d. hashing (adler-Alpha and superfast-Bravo) – import name
e. string masking
f. data package – binary file on disk that stores the AXE files and
configuration
g. state file logic – file management used to store state files on disk
The engine waits for beacon cycles and events from the command module to
perform actions such
as unload or uninstall. The engine is loaded once by the host.dll and stays in
memory for the entire
life time of the execution. Once a beacon needs to be processed, the engine
will load the
command module (business logic).
3) Command.AXE – The command dll is the entire command-and-control command
set of the tool (get/set/put/module load/module unload/secure delete/uninstall).
It will beacon to the server, process the command and then signal the engine to
unload it from memory. This means that the business logic is not in memory
when it is not being used.
4) Uninstall.AXE – The uninstall dll will uninstall the implant. This includes
removing registry keys and securely deleting the host.dll and data.bin files.
Once the uninstall module completes, it is unloaded and returned to the engine.
The engine will cleanup open handles and terminate the active thread. The
engine code remains in memory but all remnants are removed.
AXE FORMAT: The AXE file is a converted DLL file that strips the PE header, hashes
all import function names, and masks import module names.
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh