Wikileaks latest Vault 7 release showcases a CIA hacking tool named “Marble”, which is employed by the agency to hamper forensic investigators from attributing viruses, trojans and hacking attacks back to the CIA. Marble was in use as recently as 2016.
According to a statement released by Wikileaks, “Marble” is part of the CIA’s Core Library of malware, consisting of 676 source code files.
Marble hides fragments of texts that would allow for the author of the malware to be identified, meaning the agency allows another party to be blamed for the hack.
Still believe Russia hacked the US elections?
RELEASE: CIA Vault 7 part 3 “Marble” https://t.co/M5NBFlXRu4 #Vault7 pic.twitter.com/HFyEf26FHK
— WikiLeaks (@wikileaks) March 31, 2017
CIA’s “Marble Framework” shows its hackers use potential decoy languages https://t.co/Hm3pTPSXIS
Background: https://t.co/GsoN4BuyTz pic.twitter.com/ZT66doCnfY
— WikiLeaks (@wikileaks) March 31, 2017
A Marble framework document reveals it supports the ability to “add foreign languages” to malware. “Now comes the fun stuff,” it reads, listing Chinese, Russian, Korean, Arabic and Farsi in example code, indicating the potential for the CIA to divert attention to international actors.
It’s “designed to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms” often link malware to a specific developer, according to the whistleblowing site.
“This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion,” WikiLeaks explains, “But there are other possibilities, such as hiding fake error messages.”
The code also contains a ‘deobfuscator’ which allows the CIA text obfuscation to be reversed. “Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA.”
Previous Vault7 releases have referred to the CIA’s ability to mask its hacking fingerprints.
WikiLeaks claims the latest release will allow for thousands of viruses and hacking attacks to be attributed to the CIA.
Within @wikileaks #Vault7 #Marble release, instructions on adding foreign language to algorithms to hide #CIA malware & hacks #dnchack pic.twitter.com/gsyh4Y4Gwt
— Christine Maguire (@_ChrisMaguire) March 31, 2017
Full Press Release via WikiLeaks:
Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.
Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.
Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.”
The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.
The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.
The Marble Framework is used for obfuscation only and does not contain any vulnerabilties or exploits by itself.
The post Wikileaks releases “Marble”, proving that CIA hacks in Russian, Chinese and Farsi languages appeared first on The Duran.