The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.
The tools, said to be part of a CIA project named “Imperial,” are called Achilles, Aeris and SeaPea.
A “secret” document dated July 2011 reveals that Achilles is a tool that can be used to create trojanized OS X disk image installers (.dmg). The resulting DMG file will contain a legitimate application and malicious executables added by the user – these files will be executed only once after the real application has been launched.
SeaPea is an OS X rootkit designed to provide stealth and launching capabilities for other tools. Version 2.0 of SeaPea was detailed in documents previously dumped by WikiLeaks, but the new user guide provides information on version 4.0.
Finally, Aeris is an implant designed to target operating systems that are compliant with the Portable Operating System Interface for Unix (POSIX), including Debian, Red Hat, Solaris, FreeBSD and CentOS.
POSIX is a set of specifications for maintaining compatibility between Unix-like operating systems by defining the API for software compatibility. Apple’s operating systems are also POSIX-compliant.
The Aeris tool includes various features, including for automatically exfiltrating files and encrypted communications.
As with many of the other Vault 7 tools exposed by WikiLeaks, given that their user guides were written several years ago, it’s likely that these projects have either been improved considerably to keep up with the new security features introduced by the creator of the targeted software or they were abandoned altogether.
Other tools described in documents published by WikILeaks over the past few months are designed for intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).
Related: Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak