Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
address. It does not necessarily mean that the client with that MAC address is the owner
of that email address/chat user/VoIP number.
(S) Whenever an Alert is sent, the current Flytrap status and security information (of
15.1.2 and 15.1.3) is sent as well.
(U) Section 7 discusses Target handling in more detail.
5.2.3.7.1 (U) Alert Caching
(S) The Flytrap will cache Alerts and attempt to resend them if for some reason a
connection cannot be established to the CT, or if an Alert transmission fails. The Alert
includes a transmission time that is set just prior to each transmission and retry. From this
transmission time, and the actual time of the Alert, the CT can discern the latency of the
Alert (excluding transmission time).
5.2.3.8 (U) Target Monitoring
(S) Flytraps support a Mission-configurable session monitoring that allows for a more
real-time indication of a Target’s activity directly following a Target detection/Alert
event. This could be used, for example, to better judge the likelihood that a Target is still
actively using and hence located near the Flytrap. Note that Target Monitor messages are
cached as in 5.2.3.7.1.
(U) Section 7 discusses Target handling in more detail.
5.2.3.9 (U) Target Actions
(S) The Flytrap supports a number of Mission-configurable actions to take when a Target
has been detected, including browser Redirect, Copy, and VPN Proxy/Link.
5.2.3.9.1 (U) Browser Redirect (Windex)
(S) The Browser Redirect (also referred to as Windex) Action uses a Mission-
configurable URL to redirect a Target’s browser. Typically, the browser is redirected to a
site that attempts to exploit the browser. The Target browser is redirected to the URL
after the first HTTP GET Request to a root URL (e.g., http://www.google.com) following
Target detection. The Target browser is only redirected to the URL once per Mission.
Redirect techniques include:
Double Iframe (Preferred technique) – the content of the HTTP Response (to
the HTTP GET Request to a root URL) is replaced with a double Iframe. The
first (primary) Iframe contains the URL of the original request. The second
Iframe is hidden and contains the URL of the redirect (e.g., Windex) site.
HTTP Redirect – the content of the HTTP Response (to the HTTP GET Request
to a root URL) is replaced with an HTTP Redirect to the redirect URL. This
technique, when used with a Windex server, supports further redirection (after
exploitation) of the browser to the originally requested URL.
15
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh