1 Hard to Detect2 Windows Update Corruption
Operators can customize the payloads to behave differently for varying configurations, maintaining persistence through different methods. A pre-install survey determines the target’s operating system version, anti-virus software and more before deployment.
Hard to Detect
A major focus is so-called PSP avoidance. CIA Grasshopper elements can escape detection by major security products like Microsoft Security Essentials, Symantec Endpoint and Kaspersky IS. The payloads come in the form of exe, dll, sts and pic extensions, some with malicious payloads built-in, and others that can be triggered remotely. They are designed to “be loaded into and executed solely within memory,” making it more difficult for traditional anti-virus solutions to pick up. Once deployed, the CIA uses a number of techniques to ensure the malware stays. One such method is taken from Carberp, a malware that seems to come from Russian hackers.
Windows Update Corruption
Another technique uses Microsoft’s own Windows Update service to re-install itself. CIA Grasshopper can piggyback off the WUPS stub to deliver a payload every 22-hours. It works even if the user has disabled updates on their PC and can uninstall itself without a trace. Grasshopper also utilizes Windows Task Scheduler to run executables. It can run an executable automatically on startup, hiding the name and description of the task before stopping. Wikileaks says the intention of the release is to “provide an insight into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise.” Microsoft is yet to respond officially to the release, but may have a statement soon. The company previously said PCs on the latest Windows 10 version should be safe.
