Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
When the stub detects that the payload has been deleted, it will execute the
autonomous uninstall. The stub checks for the payload every 5 seconds. The
autonomous uninstall will perform the following steps:
1. Remove the service from the Windows registry.
2. Delete itself from the filesystem.
Kill File
The kill file uninstall procedure consists of the following steps:
1. Create a file on the file system at path specified for kill file parameter at
build time.
When the stub detects the presence of the kill file, it will execute the kill file
uninstall procedure. The stub checks for the kill file every minute. The uninstall
proceeds through the following steps:
1. Wait half a minute before starting uninstall.
2. Attempt to signal and/or stop the payload for uninstall.
3. Secure delete the payload. If this fails, arrange to delete on reboot.
4. Remove the service from the SCM.
5. Remove the kill file.
6. Delete itself from the filesystem.
NOTE: If the payload is a DLL, the stub will attempt to free library. If the payload has
not performed a “safety load” on itself and does not shutdown, it may crash the
host process.
NOTE: If the payload is a NOD-persisted DLL, it will have been memory loaded. On
uninstall, the stub will call DLLMain with DLL_DETACH_PROCESS to notify the
payload of the uninstall event. However, the memory is leaked and the payload left
running to avoid potentially crashing the host process.
NOTE: If payload is an EXE payload, the payload will be terminated using
TerminateProcess and securely deleted.
NOTE: If the uninstall fails, the kill file remains and the uninstall function will be
attempted again on the next boot.
NOTE: The hijack technique may fail to find a useable service and fail to hijack. If
this happens then the service will start normally on next reboot of system.
NOTE: All Stubs perform secure self-deletion of themselves during un-installation.
3 Footprint
File System
- Service Stub Executable, located at a user specified location <STUB_PATH>
- Service Stub Directory, may have been created
- Nodpersist interface payloads are not on disk but are an obfuscated resource
in the stub
4
SECRET//NOFORN