Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
6.1.3.3 (U) RiverJack Link File Config
(S) Link Folder Name: The name of the link folder that will be created. The link folder
will be written to the directory specified by "Link Files Directory" in the Lachesis
Execution Vector Config option.
(S) Link Target Head: The head of the link target (could be a drive letter or hard disk
partition number or even UNC path). You can specify potential drive letters, such as
"E:\", "F:\", "G:\". These linkfiles *MUST* be in alphabetical order.
(S) Library Path: The path and name of the mslibrary junction that will be created. User
must navigate to this directory for execution.
6.1.4 (U) None
(S) Target OS: All!
(S) Additional Requirements: User *must* execute the program directly. *NOT*
applicable with "Condensed" Deployment type
(S) How it works: No execution vector, so that action is passed to the operator. Either
through trojan, an external execution vector, or user double-clicking the binary....
6.2 (U) Deployment Configuration
(S) The deployment module controls the look of the tool on disk. BK requires one EXE,
one deployment DLL, one deployment config file, and one payload config file. How
these files appear or hide on disk is dependent upon this module.
(S) The config files specify instructions for BK, and are encrypted to the specific drive
you configure. Therefore, BK will ONLY execute on the drive it was initially configured
on. Copying the BK files to another drive will result in the tool doing nothing.
(S) What this also means is, any changes to the drive may result in failure for the tool to
run. This is both good and bad, as it enables officers in the field to make a small change
to the drive that then renders the tool inert. For example, changing the volume name will
disallow the tool from running.
6.2.1 (U) Deploy Full On Disk
(S) How it works: As the name suggests, you deploy all the BK modules on disk, and
specify the name of each. The most basic option and ideal unless multiple files may cause
heavy scrutiny.
BKCore EXE File Name: The name of the primary executable for BK.
Deploy Config File Name: The name of the deployment configuration file
(encrypted)
Payload Config File Name: The name of the payload configuration file
(encrypted)
Blacklist: Process blacklist. IF any of these processes are detected, then bail.
(S) You can use directory paths if you wish to bury some or all of these config modules
on the drive. For example, you can say "Folder1/Folder2/BKCore.exe" for the EXE
name. Also, file extensions do not need to match the file type. So, you can call the DLL a
.dat or use whatever you like.
SECRET//NOFORN
17