WikiLeaks has been fairly steadily releasing documents from what is known as the “Vault 7” leaks, and now documentation has been released about a tool known as “Aeris” which specifically targets POSIX systems such as a couple GNU/Linux Distributions.
Posted on WikiLeaks yesterday, was information regarding the “Imperial” project of the CIA,
Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support - all with TLS encrypted communications with mutual authentication.
It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.
This article will be focusing specifically on Aeris however.
Aeris appears to be an implant that is designed to allow an agent to retrieve and send information about the infected system through TLS encrypted channels.
There are multiple avenues for information transmission such as mail systems like Postfix, that allow the agent to send heavily encrypted information to the designated destination in a virtually unbreakable fashion using AES256 encryption.
What systems are targeted?
The distribution of Aeris consists of a set of Python utilities and a set of binaries, one per platform that is targeted by Aeris.
Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the
desired directory. Rename the binary in any way that you wish. Note that the configuration
is patched in at build time; hence, no additional files (beyond possibly those related to
persistence -- see the next section) are needed.
While many people may view this on a political level, or on the topic of privacy advocacy etc, I look at this from a standpoint of future security.
In the past, malware that has caused problems for the general populace has been based on government malware; such as WannaCry for example. WannaCry was initially based on EternalBlue, that many attribute it to the NSA.
With the release of this information on Aeris, I worry that black-hat (read: bad hackers) may get their hands on / develop something similar, and use the methods described in the documentation in malicious ways.
However, with that being said, most home users would have very little to worry about, and unless a server has a reason to be targeted; again there shouldn’t really be any need to worry. But, educating ones-self on the topic is never a bad thing!
In the Manual, there is a rather amusing part of one paragraph that I thought I might point out:
Each implant instance has a unique certificate authority associated with it. The CA's private key is used to sign the implant's certificate as well as certificates for each LP associated with the implant in question.
If anyone actually reads this paragraph, he or she is entitled to a small monetary prize courtesy of the Aeris team lead. Implant- collected data cannot be decrypted without the CA's private key; hence, this key is considered SECRET//NOFORN and must be maintained on a classified network. All keys and certificates (CA, target, and LP) are 2048 bits in size.
Many people like to think that GNU/Linux systems are invincible, and that simply by running a Linux based system you are totally safe from malware and the like; these releases are just further proof that this is not the case; let’s just hope that more malicious users out there do not try and take advantage of these new tools!
For those who wish to see the information about Aeris, you can find the manual here (PDF).Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.