Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
________________________________________________________________________
4.3 (S//NF) Athena/Hera Version Comparison
Table 5 - (S//NF) Differences between Versions
Feature Athena Hera
Hash (function names) Adler hash – from zlib Superfast hash
Mask(local encryption) XTEA with key increment AES with reduced key space
Packing Mask 0x3B 0x5C
String Mask 0x5D8E1792 0xAF27D2C9
Compilation MSVC 2013 LLVM 3.7.0
Module Compilation
(actual modules using alternate compilation)
Installer.dll
Host.dll
Ram_only.dll
Installer.bravo.dll
Host.bravo.dll
Ram_only.bravo.dll
Persistence RemoteAccess Dnscache
Compression ZLIB BZip2
Table 6 - (S//NF) Similarities between Versions
Feature Commonality
Data file File format and content is the same but the masking is different
Business Logic The command module uses different masking but the code is compiled with MSVC and will look similar.
This module is dynamically loaded.
Engine The engine module has mostly the same code between the two modules and is complied with MSVC and
will look similar. This module is dynamically loaded.
Uninstall The uninstall module will be almost identical between versions. This module is dynamically loaded.
Imports The import tables between (Installer/host/ram_only) will be similar. Additional unused imports have been
included in the Hera version.
Communications The communications between the versions has not changed (i.e., RSA with a generated session AES 256
key)
State File Logic The state file logic is the same and the stored files may have similar information but will be masked
differently on disk.
Function Ordering No function abstractions have been incorporated between the versions. Functionally, these two versions
should produce virtually the same function call list.
5. (U) Listening Post
(S//NF) The Listening Post (LP) uses a Bottle Python Web Framework WSGI interface to
simplify the Listening Post interface between the targets and the server. The tasker.py tool
generates encrypted tasking that is placed on the Listening Post for distribution to client targets.
The targets respond with an encrypted file that can be decrypted with the parser.py tool.
(S//NF) The Listening Post was designed to function as a simple file server to deliver tasking to
the target. The LP server was designed to run with Apache Server (2.4) running on Ubuntu
v14.04. Tasking files generated by the Tasker are placed into user configured directories
generated by the server setup script. The target will beacon into the LP for tasking and the LP
will respond by parsing client directories and sending back data from the corresponding
directory. The directory is organized in a single parent folder to multiple child folders specified
by the implant’s 4 character identifier. The directory hierarchy is laid out as follows:
SECRET//NOFORN 5