Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

WikiLeaks Details Mac OS X Hacking Tools Used by CIA

The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.

The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.

The tools, said to be part of a CIA project named “Imperial,” are called Achilles, Aeris and SeaPea.

A “secret” document dated July 2011 reveals that Achilles is a tool that can be used to create trojanized OS X disk image installers (.dmg). The resulting DMG file will contain a legitimate application and malicious executables added by the user – these files will be executed only once after the real application has been launched.WikiLeaks leaks more alleged CIA hacking tools

SeaPea is an OS X rootkit designed to provide stealth and launching capabilities for other tools. Version 2.0 of SeaPea was detailed in documents previously dumped by WikiLeaks, but the new user guide provides information on version 4.0.

Finally, Aeris is an implant designed to target operating systems that are compliant with the Portable Operating System Interface for Unix (POSIX), including Debian, Red Hat, Solaris, FreeBSD and CentOS.

POSIX is a set of specifications for maintaining compatibility between Unix-like operating systems by defining the API for software compatibility. Apple’s operating systems are also POSIX-compliant.

The Aeris tool includes various features, including for automatically exfiltrating files and encrypted communications.

As with many of the other Vault 7 tools exposed by WikiLeaks, given that their user guides were written several years ago, it’s likely that these projects have either been improved considerably to keep up with the new security features introduced by the creator of the targeted software or they were abandoned altogether.

Other tools described in documents published by WikILeaks over the past few months are designed for intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).

Related: Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak

Related: WikiLeaks CIA Files Linked to Espionage Group

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.