Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

mklp.py Script - creates new LP keys
patcher.py Script - builds a replica of a deployed instance
postproc.py Script - processes exfiltrated data
task_builder.py Script - task generator
All scripts and builders should remain on the high side. The builder will output
UNCLASSIFIED binaries, keys, and configurations, as explained in the next section.
Note that we provide the source code for our CGI program, because we want to provide
operators with the ability to modify and control the LP infrastructure as they see fit.
BUILD INSTRUCTIONS
Use builder.py, see builder.py -h for details. Python 2.7 is required.
The builder outputs the following directory structure:
DEPLOY_{target ID}_{timestamp}/: top level directory
implant/: target files
aeris: implant binary (UNCLASSIFIED)
config: encrypted implant config (UNCLASSIFIED)
keys/: implant and CA keys
ca.cert: CA certificate (UNCLASSIFIED)
ca.priv: CA private key (SECRET//NOFORN)
tgt.cert: implant certificate (UNCLASSIFIED)
tgt.priv: implant private key (UNCLASSIFIED)
lp/: LP files
{lp 1}/: files for lp 1
{lp 1}-inst: installer for lp 1 (UNCLASSIFIED)
{lp 1}.cert: certificate for lp 1 (UNCLASSIFIED)
{lp 1}.priv: private key for lp 1 (UNCLASSIFIED)
{lp 1}.conf: apache config file for lp 1 (UNCLASSIFIED)
{lp 2}/...
{lp 3}/...
receipt: human-readable receipt (SECRET//NOFORN)
receipt.xml: XML/machine-readable receipt (SECRET//NOFORN)
Each LP installer contains all keys and Apache configuration files necessary for an LP
deployment. It is based on a Fedora 14 LP provided by COG/NOD operators late in 2011. Since
this LP may differ in configuration from the operational LP at the time of an Aeris
deployment, the LP builder script is provided primarily to provide the user with a
step-by-step guide on how to configure an Aeris LP. We recommend that the user not run the
script outright but rather adapt the script or issue the steps manually to account for any
differences in LP configuration.
DEPLOYMENT INSTRUCTIONS
INSTALLATION
Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the
desired directory. Rename the binary in any way that you wish. Note that the configuration
is patched in at build time; hence, no additional files (beyond possibly those related to
persistence -- see the next section) are needed.
PERSISTENCE
Since mechanisms for persistence vary greatly among POSIX-compliant systems, Aeris does not
have such functionality built-in. The operator must supply persistence methods, and, if
desired, the developers can incorporate them into the Aeris builder in a later phase.
Note that any persistence mechanism should invoke Aeris as described in Section IV.
IMPLANT IDENTIFIERS
When Aeris reports back to the LP, it will include its implant identifier along with the
payload. This identifier will consist of two parts: A parent (static) part equal to the
implant identifier specified at build time and a child (dynamic) part created from hardware
addresses of up to four NICs on the target system. The format is as follows:
{parent}-{NIC 1}-{NIC 2}-{NIC 3}-{NIC 4}
The NICs will be sorted so that they appear deterministically (alphabetical order).
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh