WikiLeaks Exposes CIA Malware Targeting Your Favorite OS

 WikiLeaks Exposes CIA Malware Targeting Your Favorite OS

If you’re using a computer (and if you are reading this article, there’s a high chance that you do), you probably have a favorite operating system that you are willing to defend (hopefully just verbally) against users of other operating systems that say theirs is the best. It’s an old age debate as to which is best, Windows, Mac OS or Linux. The users of these three OS are so different that you can easily say “never the twain shall meet” (or should that be “trine” in this case?), but now there’s something that threatens them all equally.

What are we talking about?   According to a series of leaked documents titled Vault 7 and published last year on WikiLeaks, the US Central Intelligence Agency has developed malware that affect the three largest and most widely used operating systems in existence – Microsoft Windows, Mac OS and Linux.

Most of the infestations were developed by the Automated Implant Branch (AIB) and include several hacking programs with cool names such as “Brutal Kangaroo”, “Medusa” and “Assassin”.  The first one, for instance, Brutal Kangaroo, is a module that allows data to be stored or transferred by placing it in NTFS Alternate Data Streams. From there, each chunk can create a new stream.

However, that’s not the whole story as the CIA has also found a way target the network and servers themselves (meaning that your router isn’t safe either) and those were developed by another CIA branch called Network Devices Branch (NDB).


As the most popular operating system in the world (as of September, 2018, 87.6% personal computers in the world ran on Windows, of that 42.8% on Windows 10), it comes as no surprise that Windows would be the biggest target for the CIA out of the three biggest operating systems.

The malware that CIA developed to take control of your Windows-based computer comprise of a number of weaponized vulnerabilities called “zero days” (zero day, or 0day is a previously unknown vulnerability to the vendor).

In addition, the CIA has also developed several computer viruses such as “Hammer Drill”, which itself can infect software distributed via CDs and DVDs. Basically, this is a tool that collects directory walks and files and sends them to a configured directory and filename pattern and in addition logs any time that the user inserts or removes his or her CD or DVD. The latest version Hammer Drill v2.0 has a gap jump ability that allows it to execute Trojans while the disc is being burned by Nero (no word on if this works with other CD/DVD burners like Daemon Tools or ImgBurn).

Plus to all this, WikiLeaks also uncovers how the CIA can infect a computer via an USB or another removable media, hide data in images and make sure the infestation is there for a long time. For example, CIA can affix data to an existing image file (jpg or png) and that way store or transfer data at will.

Mac OS and Linux

If you’re a Mac OS or Linux user and have read the article up to this point, you might want to wipe that smirk off your face. Just because most hackers concentrate on Windows, doesn’t mean you OS is any more or less secure. It’s just a question of scope and the CIA hasn’t forgotten about you.

In fact, our favorite intelligence agency has developed three hacking tools for Mac OS and Linux, called: Achilles, Aeris and SeaPea. And yes, we’re going to take a look at them all so that you know what you are dealing with.

  1. Aeris

Apparently someone in the CIA is a fan of Final Fantasy as they decided to name one of their hacking tools for a character from it Aeris Gainsborough. Okay, with that little trivia out of the way, what is Aeris 2.1?

Aeris 2.1 is an automated implant created to infect Linux OS. The malware is distributed with a set of Python utilities with one binary per platform. Aeris is supported on the following Linux platforms:

  • Debian Linux 7 (i386)
  • Debian Linux 7 (amd64)
  • Debian Linux 7 (ARM)
  • Red Hat Enterprise Linux 6 (i386)
  • Red Hat Enterprise Linux 6 (amd64)
  • Solaris 11 (i386)
  • Solaris 11 (SPARC)
  • FreeBSD 8 (i386)
  • FreeBSD 8 (amd64)
  • CentOS 5.3 (i386)
  • CentOS 5.7 (i386)

Some of the features include a standalone HTTPS LS support, TLS encrypted communications, a configurable beacon interval, automated file exfiltration and more.

  • Achilles

Achilles 1.0 named, obviously for the Greek hero (the one with the bad heel), can introduce Trojans into a Mac OS installer, via a DMG file or a one-time execution. The infected DMG file then acts as a normal DMG file, but once the user runs it, the payload gets installed and later removed.

Fortunately, it seems that Achilles 1.0 is only confirmed to work on Intel processors running Mac OS version 10.6 (Snow Leopard), so the later versions should be safe from it.

  • SeaPea

SeaPea gets its name from a legume native to the coasts of Europe, North and South America and Asia also known by the name beach pea or Latin Lathyrus japonicas. It (the hacking tool, not the plant of course) is a Mac OS toolkit with tool launching and stealth features and is it fully infects a system, it is capable of hiding processes, files and socket connections.

The toolkit was tested on Mac OS X 10.6 and 10.7.


The rivalry between Windows, Mac OS and Linux users is well documented, but this is one thing they can all agree on. CIA has developed some nasty hacking tools that won’t allow any of them to sleep easily.

So what can you do? Maybe switch to Chrome OS?


Related post

Leave a Reply

Your email address will not be published. Required fields are marked *