WikiLeaks Exposes CIA’s Angelfire Toolset For Hacking Window XP And Windows 7 PCs
Angelfire consists of five components, including Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS,a nd the Windows Transitory File system. Each of these parts has a distinct job. It starts with Solartime, which modifies the partition boot sector so that when Windows fires up boot time device drivers, it also loads and executes the Wolfcreek implant. Once executed, it is able to load and run other Angelfire implants
According the documentation, Keystone is part of the Wolfcreek implant and is responsible for starting up malicious user applications. What makes all this hard to detect is that loaded implants never touch the file system. It also disguises itself as svchost.exe in the C:\Windows\system32 directory.
BadMFS is described as a covert file system that is created at the end of the active partition. Angelfire uses BadMFS to store all other components, with all files being obfuscated and encrypted.
Finally, the Windows Transitory File system is a newer component that is an alternative to BadMFS. Rather than store files on a secret file system, the component uses temporary files for the storage system. These files are added to the UserInstallAppl (both the .exe or .dll versions).
Summed up, Angelfire is yet another tool the CIA used for hacking Windows PCs. Compared to other tools, such as Grasshopper and AfterMidnight, Angelfire seems a bit rudimentary with plenty of cons. For example, some versions of BadMFS can be detected because the reference to the covert file system is stored ina file named "zf." Additionally, loading implants can cause memory leaks that might be detected on infected machines.
It is not known if the CIA has fully retired Angelfire or if it is now using a newer, more sophisticated version.