The latest bombshell to come out of WikiLeaks’ Vault7 series of leaks from the CIA, exposes a tool codenamed “Grasshopper”, which allows operatives to deploy persistent surveillance and hacking payloads on target Windows-based computer systems and remain undetected from popular anti-malware and anti-virus tools.
WikiLeaks has an array of documentation on-line, including an in-depth user’s guide for Grasshopper. The user’s guide explains that Grasshopper is “a software tool used to build custom installers for target computers running Microsoft Windows operating systems”, which seems straightforward enough, and quite frankly the kind of thing you’d expect an intelligence agency to have at its disposal. But a deeper look at the documents reveals some much more alarming details.
Image Source: The Grasshopper User's Guide
The Grasshopper user’s guide also explains that, “executables may contain considerable equities, including persistence techniques and any number of payloads. With this in mind, it is important to consider carefully the tradecraft of building and executing a Grasshopper”. The user’s guide also says that the operation “uses an unspecified tool” to run the Grasshopper executable within a particular Windows process that has the necessary permissions for the intended task, of which there can be many – key logging, collecting stored passwords, data detection and destruction, you name it.
Another interesting part of the story is that the “unspecified tool” mentioned in the user’s guide may have stemmed from Russian organized crime. Grasshopper uses something called the “Stolen Goods 2.1 (SG2)” persistence module, which is based on third-party malware. A document detailing SG2 reveals, “The components were taken from malware known as Carberp, a suspected Russian rootkit used by organized crime. The source of Carberp was published online, and has allowed AED\RDB to easily borrow' components as needed from the malware.”
There is a myriad of Grasshopper-related documentation on the WikiLeaks site and their Twitter feed is rife with some of the scarier excerpts as well. One Tweet contains some payload execution details for Grasshopper that outline how the tool can invade the Windows Update Service and reinstall automatically every 22 hours.