
Wikileaks CIA Leak – Dark Matter - ShaneWilton
https://wikileaks.org/vault7/darkmatter/
======
ShaneWilton
I've finished reading all of the leak now (except the Broadcom manual that was
included for some reason?), and at least to me, the most interesting piece is
the manual for DerStarke [0].

It's a diskless, EFI-persistent implant for Mac OS X 10.8 and 10.9, that does
most of its network communications through a browser process. The manual
explicitly calls out that this is done to make it difficult to detect the
implant using tools like Little Snitch.

This is in contrast to a lot of the tools referenced in the previous leak,
which went to great efforts to keep their disk / memory footprint low, but
didn't otherwise get into much of the details about how they cloaked their
network comms.

Overall, the leak didn't include any capabilities that I was surprised to see.
Things like using adapters to install an implant on boot (Sonic Screwdriver
[1] in this dump) are super cool, but they aren't anything we haven't seen
done before. See Thunderstrike [2] for a really great lecture on this type of
attack.

Also, obligatory warning about WikiLeaks dumps: it's usually worth just
reading the leaked documents themselves, and avoiding the editorializing that
WikiLeaks always does. They tend to make unsubstantiated claims that end up
getting the brunt of the media's focus.

[0]
[https://wikileaks.org/vault7/darkmatter/document/DerStarke_v...](https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_DOC/)

[1]
[https://wikileaks.org/vault7/darkmatter/document/SonicScrewd...](https://wikileaks.org/vault7/darkmatter/document/SonicScrewdriver_1p0)

[2]
[https://events.ccc.de/congress/2014/Fahrplan/events/6128.htm...](https://events.ccc.de/congress/2014/Fahrplan/events/6128.html)

