Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
3. (U) Overview
3.1 (U) Stolen Goods Tool Description
(S//NF) Stolen Goods 2.1 (SG2) is a persistence module for Grasshopper and Shellterm
based on components from 3
rd
party malware. The components were taken from malware
known as Carberp, a suspected Russian rootkit used by organized crime. The source of
Carberp was published online, and has allowed AED\RDB to easily 'borrow' components
as needed from the malware. Most of Carberp was not used in Stolen Goods 2,
specifically all the Bot net/Communications components. The persistence method, and
parts of the installer, were taken and modified to fit our needs. All components taken
from Carberp were carefully analyzed for hidden functionality, backdoors,
vulnerabilities, etc. A vast majority of the original Carberp code that was used has
been heavily modified. Very few pieces of the original code exist unmodified.
(S//NF) SG2 maintains persistence by installing custom Initial Program Loader (IPL)
code found in the Volume Boot Record (VBR; also known as the Partition Boot Record
or PBR). Using a series of function hooks, SG2 is able to maintain execution along the
Windows boot sequence, when at one point it loads a stub driver into the system to
maintain code execution after the boot process is finished. The stub driver borrows some
ideas and components from the original Carberp source, but most of the stub driver has
been rewritten by RDB.
(S//NF) SG2 is able to persist two different payloads at once: a DLL payload (GH1 or
Persistence Spec compliant) and a driver payload (JediMindTricks/AncientProtector
specifically). The driver payload does not//not need to be signed at all, even on 64-bit
Windows systems.
3.2 (U) Dependencies
(S//NF) SG2 requires Grasshopper for configuration and installation. This document
assumes the user has a working Grasshopper build (along with all of Grasshopper's
dependencies).
(S//NF) SG2 also has the ability to be launched through a kernel shellcode install module
included in the latest version of ShellTerm (2.8.1+). This method installation is easier to
configure compared to Grasshopper, but does not contain many of the safety checks
Grasshoper gives you. Therefore, the shellcode installer should only be used by someone
who is comfortable and confident with its use.
3.3 (U) MD5 Hashes
(U) Hashes of the Stolen Goods v2.1 binaries
Control32.dll b3dc808fc7cb4492669ec019911ef22a
Control64.dll bec30379078d5c5c7845d3be33707b89
GH_PM32.dll 2f2c5b3f3b1f97908074f526ac90a28d
GH_PM64.dll fe6c0097412b2c7b7f4b8a489004dd14
MemStub32-GH1.dll 0a579ad25fdd4db8110aac4dbb7d2da3
SECRET//NOFORN
- v -

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh