01 September, 2017
"Solartime" modifies the partition boot sector of Windows XP or Windows 7 machines when installed, allowing the "Wolfcreek" implant to load and execute.
According to the new WikiLeaks documents, the tool is called "Angelfire" and consists of five components.
According to WikiLeaks' Vault 7 files, Solartime is a malware component designed exclusively to alter the Windows partition boot sector, which would allow the system to be infected with the Wolfcreek implant when Windows loads boot time device drivers. "Wolfcreek" can then load and execute other "Angelfire" implants.
BadMFS: This is a covert file system created at the end of the active partition that's used to store all drivers and implants that Wolfcreek will start.
Part of the Wolfcreek driver is another component known as Keystone.
"Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File System". Implants that are run do not touch the filesystem of the infected machine so it is not detected, as it disguises itself as C:\Windows\system32\svchost.exe, the name of a legitimate Windows service.
Keystone - a component that utilises DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system. It can be detected in some versions, but in most it's encrypted and obfuscated.
The whistleblowing website previously claimed that the data had been uncovered by US government hackers, revealing a huge archive of viruses, malware, software vulnerability hacks used by the Central Intelligence Agency.
The release is the latest from WikiLeaks as part of its Vault 7 series, which has focused on releasing leaked documents from the CIA detailing the government agency's technical capabilities. The system allows an operator to create transitory files for specific actions including initial installation or adding and removing files from Angelfire.
