Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
1. Scope
This document establishes the User Manual for DarkSeaSkies 1.0.
1.1 System Overview and Description
DarkSeaSkies is an implant that persists in the EFI firmware of an Apple MacBook Air
computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space
implant.
DarkSeaSkies consists of three different tools:
1. DarkMatter: An EFI driver that persists in firmware and installs the other two
tools.
2. SeaPea: A Mac OSX kernel-space implant that executes, and provides stealth and
privilege to user-space implants.
3. NightSkies: A Mac OSX user-space implant that beacons to a listening post and
provides command and control.
This document describes the technical details DarkMatter, and that of SeaPea and
NightSkies only where they differ from their documented user manuals. Refer to SeaPea
User Manual for further information on SeaPea. Refer to NightSkies User Guide for
further information on NightSkies.
1.2 Assumptions and Constraints
It is assumed that the target system is a MacBook Air version 1,1 running Mac OSX
10.5.2-10.5.x with firmware version MBA11.0088.B03.
It is assumed that an operator or asset has one-time physical access to the target system
and can boot the target system to an external flash drive.
A constraint is that the DarkSeaSkies will not persist in the event of a firmware update.
1.3 Conventions (Not Applicable)
2. Applicable Documents
The following documents, of the exact issue shown, form a part of this document to the
extent specified herein. In the event of a conflict between the documents referenced
herein and the contents of this document, the contents of this document will be
considered binding. The following documents may be found at S:\DO\IOC\EDG
ALL\EDG AE\Projects\:
• SeaPea User Manual, Rev. 2.0, November 2008
• NightSkies User Guide, Rev. 1.2, November 2008
3. System Description
3.1 Technical References
darkmatter+darkmatter+docs+DarkSeaSkies 1.0 User Manual_Rev New_2009-01-26.doc
1
SECRET//NOFORN