Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
access. In most cases, the manufacturers patch holes as they are reported. Still, although
perhaps not trivial, it is not inconceivable that a user could gain shell access to the device.
(S) An adversary gaining a shell might detect a few extra processes running: Mission
Manager, Copy (if the Flytrap is executing a Mission with a Copy/Copy All Action),
VPN (if the Flytrap is executing a Mission with a VPN Proxy/Link Action). They might
also detect an extra kernel module (the Generic Filter).
(S) An adversary could check the NVRAM settings as in 13.2.
(S) Note that Target email/chat/MAC addresses are always hashed and are only stored in
RAM.
13.4 (S) Network Emissions and Packet Analysis
(S) This is perhaps the most important section, because it is the easiest and most likely
forensics to be performed on a Flytrap. The most common Flytrap emission is a Beacon.
Beacons are encrypted and employ a covert communication technique as in 15.1. Setting
a Mission-configurable Traffic Requirement with a large Traffic Requirement Timeout
will cause the device to not send a Beacon unless the device has internet connectivity,
and an ambient traffic threshold is achieved. Still, once a Beacon is sent, packet capture
software (e.g., wireshark) could be used to capture packets (albeit encrypted within a
covert communication technique) destined to a PoP.
125
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh