23 March, 2017
Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
(S) NightSkies (NS) version 1.2 is a beacon/loader/implant tool for the Apple iPhone 3G v2.1. The tool
operates in the background providing upload, download and execution capability on the device. NS is
installed via physical access to the device and will wait for user activity before beaconing. When user
activity is detected, NS will attempt to beacon to a preconfigured LP to retrieve tasking, execute the
instructions, and reply with the responses in one session.”
” It runs in the background and does not exhibit alerting
behavior. NightSkies will attempt to use any available Internet connection to beacon. NightSkies will
wait for user activity before attempting to beacon”
and you better believe they have this shit for android as well!!!!!!!!!!!!
In fact just reread all of this and anytime you see iphone/ios just change it to android. We’ll have the documents to prove what i’m saying soon enough if they aren’t already out there somewhere
(S) Listening Post
(S) The Listening Post provides tasking to and will accept packages from the implant. The LP is not
allowed to decrypt or process the received packages. It serves only as a drop box for packages. This
was designed to maximize security in the case that the LP was compromised. Package processing is
done at a later stage in a secure environment.
(S) The LP is composed of PHP files hosted by Apache and PHP server. The PHP files are generated
by a sitecreator program which reads a configuration plist file.
(S) The LP is unchanged from version 1.1
(S) Post processing is intended to occur in a secure environment by the ResponseProcessor program.
This program will decrypt, decompress, and process the payload returned from the implant. It extracts
files contained in the payload and displays results of any commands executed on the target phone.
(S) Files and Locations
(S) Installed on iPhone
• /usr/sbin/phoned: binary implant file
• /System/Library/PreferenceBundles/CommCenter.plist: (configfile) stores
information needed by NS to beacon. It is encrypted and compressed on
• /System/Library/LaunchDaemons/com.apple.mobile.phoned.plist: provides
persistence for the phoned. This file is not encrypted and appears as a
normal launchd configuration file.
The name of binaries can be altered during installation.
(S) Listening Post
• pkgcreator: generates the LP PHP files, tasking packages, and configuration
file for the implant”
(S) Post Processing
1. responseprocessor: process (decrypt & decompress) packages received from the
(S) NS is delivered as a “tarball” archive. Directory structure:
• docs: deployment documentation
• lp: files needed by pkgcreator
• resources: various binaries required for installation“
ns> tasks> add
Create a unique task name and package name for the tasking group, and then enter the tasks using the
Enter task name. Must match page name of the URL! [page.php]: mypage.php
Enter name of package. Can be random [page.zip]: mypackage.zip
==== Command Menu ====
execute: Execute shell command on target (returns results)
download: Download file from target
upload: Upload a file to target
setconfig: Set or change a configuration value on target
getconfig: Get a configuration value from target
show: Show current commands
help: Show this help menu
done: Done adding tasks
Enter the commands to be executed by the NightSkies implant, such as the upload, download, and
execution of files. Multiple commands can be added, and they will be executed in sequential order.
The table below shows some common files to download, and the upload and execute examples when
run sequentially illustrate a way to upgrade NightSkies.
Type Example Effect
Download Address Book
Download SMS Text
Download Mail file
Upload newimplant file
killall -9 phoned
Stop the phoned process
(launchd will relaunch it)
Update the implant to
for future tasking.
When uploading large files, pkgcreator will take a long time to encrypt and package the file. If the file
to be uploaded is too large (dependent on OS and available memory), then pkgcreator will fail during
the generate step. A safe maximum file size is probably around 20MB or less.
Once the commands have been added, exit the command menu using done to return to the taski”
(S) If the Enable Date setting is used, the date and time on the target phone should be checked to be
accurate, or could result in NS beaconing at an unexpected time.”
S) Standard beaconing behavior requires user action. If the target does not use any applications that
we monitor (MobileSafari, MobileMail, MobileMaps, etc..), then it is possible the beacon may not get
triggered by the target. Using the failsafe trigger can reduce the chance of this problem, but would be