Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
VPN Link – a network sniffer could reveal a VPN tunnel that might be suspicious. A
VPN Link timeout can be configured to mitigate detection. Note that VPN Link does not
interfere with network traffic passing through the Flytrap, so network throughput is not
affected.
Windex Injected Iframe – this technique appends an Iframe into the content requested by
the browser. This can cause the browser difficulties rendering some pages depending on
where the Iframe was inserted. This can also cause the exploit to fail if the user navigates
to a new page while the Windex exploit is loading.
Windex Redirect – clearly if a Target is redirected to a site different than the one
expected, they could become suspicious. The Redirect Action was created to support
browser exploitation of the Target through Windex. Note that, a Windex URL can be
assigned that will redirect a Target to Windex, and after Windex has accomplished the
browser exploit, will direct that Target to original page that was requested – see 9.11.2.
Target Monitoring Interval – if a Target is detected, and Target Monitoring is enabled,
the Flytrap sends an Active/Inactive message every Target Monitor Interval. Note that the
message is encrypted and wrapped in a covert communication technique (see 15.1).
Target Monitoring can be disabled (set Target Monitoring Interval to 0), but then realtime
feedback on the Target’s network activity is not received.
Harvest – if Harvest mode is enabled in a Mission, every Beacon will contain any email
addresses/chat users harvested since the previous Beacon, which will increase the size of
the Beacon data. Harvest data never exceeds 3 kilobytes, and the Beacon is encrypted and
wrapped in a covert communication technique (see 15.1). The Beacon interval could be
made longer, but then it is more likely that the 3-kilobyte harvest buffer would fill up.
Beacon – Beacons are periodically sent to report status and retrieve new Missions.
Beacons are encrypted and wrapped in a covert communication technique (see 15.1).
Flytraps can also be configured to only Beacon if a Traffic Requirement is met (see
5.2.3.2 and 15.2), further mitigating Flytrap detection. The Beacon Interval can also be
increased to mitigate detection, but then obviously the Flytrap will not be able to get new
Missions as often.
Alert – Alerts are sent whenever a Target is detected. Alerts are encrypted and wrapped
in a covert communication technique (see 15.1).
(S) The planning and assignment of a Mission should take into account the Flytrap
covertness tradeoff. For example, if a Flytrap is operating in a wireless internet café
environment where the owner is unlikely to monitor or analyze the Flytrap, then it may
be reasonable to apply more detectable features/Actions such as Copy. However, if a
Flytrap is operating in an environment more likely to be monitored and analyzed by a
system administrator, then more detectable feature/Actions should be assigned with
caution.
(S) Finally, in most scenarios, it may make sense to start with a very “conservative”
Mission (i.e., no Actions, no Target Monitoring, no Harvest, long Beacon Interval). As a
“comfort level” is achieved on a particular Flytrap, more “liberal” Missions could then be
assigned.
117
SECRET//20350112