WikiLeaks releases Manual for Linux Implant “Aeris”

Mike Turcotte-McCusker
Jul 29, 2017

WikiLeaks has been fairly steadily releasing documents from what is known as the “Vault 7” leaks, and now documentation has been released about a tool known as “Aeris” which specifically targets POSIX systems such as a couple GNU/Linux Distributions.

Posted on WikiLeaks yesterday, was information regarding the “Imperial” project of the CIA,

Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support - all with TLS encrypted communications with mutual authentication.

It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.

This article will be focusing specifically on Aeris however.

What is it?

aeris user guide

Aeris appears to be an implant that is designed to allow an agent to retrieve and send information about the infected system through TLS encrypted channels.

There are multiple avenues for information transmission such as mail systems like Postfix, that allow the agent to send heavily encrypted information to the designated destination in a virtually unbreakable fashion using AES256 encryption.

What systems are targeted?

  • Debian Linux 7 (i386)
  • Debian Linux 7 (amd64)
  • Debian Linux 7 (ARM)
  • Red Hat Enterprise Linux 6 (i386)
  • Red Hat Enterprise Linux 6 (amd64)
  • Solaris 11 (i386)
  • Solaris 11 (SPARC)
  • FreeBSD 8 (i386)
  • FreeBSD 8 (amd64)
  • CentOS 5.3 (i386)
  • CentOS 5.7 (i386)

The distribution of Aeris consists of a set of Python utilities and a set of binaries, one per platform that is targeted by Aeris.

Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the
desired directory. Rename the binary in any way that you wish. Note that the configuration
is patched in at build time; hence, no additional files (beyond possibly those related to
persistence -- see the next section) are needed.

So what?

While many people may view this on a political level, or on the topic of privacy advocacy etc, I look at this from a standpoint of future security.

In the past, malware that has caused problems for the general populace has been based on government malware; such as WannaCry for example. WannaCry was initially based on EternalBlue, that many attribute it to the NSA.

With the release of this information on Aeris, I worry that black-hat (read: bad hackers) may get their hands on / develop something similar, and use the methods described in the documentation in malicious ways.

However, with that being said, most home users would have very little to worry about, and unless a server has a reason to be targeted; again there shouldn’t really be any need to worry. But, educating ones-self on the topic is never a bad thing!


In the Manual, there is a rather amusing part of one paragraph that I thought I might point out:

Each implant instance has a unique certificate authority associated with it. The CA's private key is used to sign the implant's certificate as well as certificates for each LP associated with the implant in question.

If anyone actually reads this paragraph, he or she is entitled to a small monetary prize courtesy of the Aeris team lead. Implant- collected data cannot be decrypted without the CA's private key; hence, this key is considered SECRET//NOFORN and must be maintained on a classified network. All keys and certificates (CA, target, and LP) are 2048 bits in size.

Final Thoughts

Many people like to think that GNU/Linux systems are invincible, and that simply by running a Linux based system you are totally safe from malware and the like; these releases are just further proof that this is not the case; let’s just hope that more malicious users out there do not try and take advantage of these new tools!

For those who wish to see the information about Aeris, you can find the manual here (PDF).

WikiLeaks releases Manual for Linux Implant “Aeris”
Article Name
WikiLeaks releases Manual for Linux Implant “Aeris”
WikiLeaks has been releasing documents from what is known as the “Vault 7” leaks, and now documentation has been released about a tool known as “Aeris”
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Graham said on July 30, 2017 at 3:57 am

    You can patch this implant with Phoenix Down.

    1. beemeup4 said on August 5, 2017 at 8:18 am

      Reminds me of this:

      Couldn’t resist.

    2. John M said on July 30, 2017 at 5:02 am

      It didn’t work 20 years ago. Why would it work now?

  2. I call BS said on July 29, 2017 at 9:12 pm

    Well, golly gosh, if Wikileaks says it, it MUST be true, right??

    Except for the fact that the list of systems that are supposedly being “targeted” doesn’t even begin to make sense.

    (For those who don’t know any better, RHEL and CentOS are basically two ways of spelling the exact same thing.)

    So RHEL 6 is “targeted,” but CentOS 6 is not?? Conversely, CentOS 5.x is targeted, but RHEL 5.x is not??

    Similar anomalies present themselves with both Solaris and *BSD.

    I call BS.

    1. Nebulus said on July 30, 2017 at 1:44 am

      To be honest, I think that at least a part of this Wikileaks released manual is BS… And that “Uh…” part reinforces my suspicions.
      I’m not saying that such an “implant” doesn’t exist, but it doesn’t feel like a real/original/unmodified manual to me.

    2. Mike Turcotte said on July 30, 2017 at 12:41 am

      Keep in mind that while CentOS is based on RHEL, they are not identical. Patches are done differently, and some packages are configured differently (the most common example I can think of off the top of my head is Cron)

      There is always the potential that certain packages or patches are implemented differently between RHEL X and CentOS X, and could potentially be why there are those anomalies. I image that this is something the devs will be looking into themselves.

  3. linuxfan said on July 29, 2017 at 8:01 pm

    “Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the
    desired directory. ”

    And how is that supposed to happen (ignoring the fact that the binary also needs to be executed)? I’d say: without an attacker having local access to your computer you don’t have to be worried.

    Notwithstanding this, it’s always a good idea to sandbox your browser (and other applications) with Firejail. Mike, that’s definitely worth an article.

  4. pd said on July 29, 2017 at 5:19 pm

    LOL, “invincible”.

  5. Cloud said on July 29, 2017 at 10:44 am

    Wait it’s not a coincidence, the CIA actually sullied the name of THE Aeris, who is supposed to be a freaking hippy angel who sacrifices herself to save life on Earth from a stupid empire and some evil crybaby. How much of a poison can they be ?

    It’s as if Rome had named their project to salt the earth of Carthage, “project Gandhi”. Dudes, have some decency.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.