Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

ROOTKIT HIDING FEATURES
Files/Directories
As with processes, the operator can specify the name of files or directories that should be hidden from normal and elite processes.
(Note that super-elite processes will be able to see all files and directories on the system.)
When a non super-elite process executes commands such as ‘ls’ or ‘lsof’; or is using the Finder to browse directories/files, all files
or directories whose names match a registered hidden file name EXACTLY will be hidden. By default, all files or directories whose
name is .ptm.log are hidden.
To add or remove a file name from the list, refer to the COMMANDS section.
Because the hiding functionality relies on exact name matching, the recommended use case is to hide a directory that contains
the desired hidden files. Because the parent directory will be excluded from system ueries by elite and normal processes, those
individual files will be excluded as well. Thus, they will not appear when querying the system via ‘Finder’, ‘ls’, ‘find’, et al.
Names that are hidden should be relatively unique or unlikely to exist elsewhere on the system. We do not want file or directory
hiding functionality to interfere with the normal operation of user processes.
IMPORTANT NOTE: Files/directories that are hidden by the rootkit may still be indexed by Spotlight. There are undocumented
conventions for preventing Spotlight indexing.
Process Activity
Process Hiding: An elite/super-elite process is hidden from non super-elite processes. When a non super-elite process executes
ps, top, or Activity Monitor, all elite/super-elite processes will be hidden.
Network/Port Hiding: A tcp IPV4 socket initiated by an elite/super-elite process is hidden from non super-elite processes. When
a non super-elite process executes the commands netstat or lsof -i -P, all elite/super-elite socket connections will be hidden.
SeaPea hides both foreign and local ports. SeaPea also hides listening server sockets.
Little Snitch will not flag Elite/Super-Elite processes, however if a target has the Little Snitch Network Monitor open, the
implant process name and URL will show up, but will not be stopped. It is rare for someone to have the Network
Monitor up, and even more rare to actually look at it. We recommend that the implant process name and urls fit a
CONOPS that would make sense (e.g., an update application contacting an update server).
IMPORTANT NOTE: Currently SeaPea does not hide IPV6 or UDP sockets
COMMANDS
All commands must be run as an Elite process, with exception to the command that makes a process go Elite. All the examples
below assume that you are running the command from the Terminal. However, you can also run any of the commands using a
function that calls the open syscall. Touch is merely a convenient way of invoking the open syscall. References to {.|..} refer to
affecting the current or parent process respectively. Note that {non-exist-dir} in the table below refers to any relative path that does
not exist.
Description
Command
Example
go Elite
{.|..}{non-exist-dir}/hfs99_open
touch ..asdf/hfs99_open
go non-Elite
{.|..}{non-exist-dir}/hfs99_close
touch ..eixz/hfs99_close
Elite becomes Super-Elite
{.|..}{non-exist-dir}/rev411_open
touch ..asdf/rev411_open
Super-Elite becomes Elite
{.|..}{non-exist-dir}/rev411_close
touch ..asdf/rev411_close
Add stealth-filter-string
..{non-exist-dir}/string.sparseimg_open
touch ..ad/secret_file.sparseimg_open
Remove stealth-filter-string
..{non-exist-dir}/string.sparseimg_close
touch ..ddd/secret_file.sparseimg_close
Make process Elite when it
launches
..{non-exist-dir}/{procName}.machport_lock
touch ..dff/beacon.machport_lock
EXAMPLES
Make the current bash shell elite
SECRET//NOFORN
Rev 07/08/2011 3

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh