WikiLeaks has released five documents that private defense contractor Raytheon Blackbird Technologies provided to the CIA towards building the UMBRAGE Component Library (UCL). According to WikiLeaks, Raytheon acted as a technology scout for the CIA, exploring the malware in the wild, and recommending promising malware to CIA development teams for use in their own tools.
The documents, a part of the Vault 7 series of releases contains five reports. The first is a keylogger by the Emissary Panda, a threat actor believed to be based in China. The actual tool was not that sophisticated, it managed to persist on the system but used plain text to communicate with the command and control servers. The second is also a remote access tool by Samurai Panda, another group believed to be operating from China. The tool was a variant of an Adobe Flash exploit used by the Italian group, Hacking Team.
The next document outlines the capabilities of a fairly sophisticated malware known as Regin. Regin has a six stage architecture, and is modular, allowing for the malware to be customised for a particular target or operation. The malware is customised using the modular payloads for specific purposes, including file system access, networking capabilities, compression operations, port blocking, packet filtering and so on.
Another document describes the Gamker Trojan, used for stealing information. Apparently the Trojan uses unusual instructions in assembly language, to obfuscate the code.
The most sophisticated malware described in this set of releases is HammerToss, which is suspected to be a Russian state sponsored malware. The malware uses Twitter accounts, GitHub or compromised websites, and cloud storage to arrange the command and control operations for the malware. There is a five stage architecture for the malware. The malware contains an algorithm that generates Twitter handles on a daily basis, that requires the malware to check the Twitter handles for receiving further instructions.