Cb Connect 2018 | Power of You | Register Now


WikiLeaks’ Vault 7 CIA Report Reveals How Non-Malware Attacks Are Being Leveraged

Eric O' Neill
March 8, 2017 / Eric O' Neill

In one of the largest document leaks in the CIA’s history, WikiLeaks released thousands of pages outlining sophisticated tools and techniques the agency used to allegedly break into mobile phones, IoT devices and computers.

The leaks are essentially a catalog of offensive hacking tools. As noted in various reports, the catalog includes instructions for compromising a wide range of common computer tools including online Skype, Wi-Fi networks, PDFs, legacy antivirus solutions and more.

As reported by the New York Times, the initial release, which WikiLeaks said was only the first installment in a larger collection of secret C.I.A. material, included 7,818 web pages with 943 attachments, many of them partly redacted by WikiLeaks editors to avoid disclosing the actual code for cyberweapons. The entire archive of C.I.A. material consists of several hundred million lines of computer code, the group claimed.

There are very real implications for the entire security industry from this news. The possibility exists that revealed tools and attack code will become available to motivated attackers on a mass scale. Given the ubiquity of mobile phones and IoT devices, that’s a dangerous thing to consider.

Non-Malware Attacks

Some of the tools outlined in the report include non-malware, or fileless attacks – attacks that are not even using files in order to keep attacker’s hidden. We can expect these kinds of attacks to increase – not only because of the CIA leak, but because these kinds of attacks work and have been on the rise for quite some time.

One of the more interesting non-malware attacks outlined in the report was “RickyBobby,” a covert implant created by multiple CIA branches. The sole purpose of this implant was for it to be lightweight and run on newer Windows clients and servers (think Windows 7 and up). The implant is leveraged as an initial foothold into networks so CIA operators can then upload and download additional capabilities as they see fit.

So, why is this implant notable? The initial infection occurs via a PowerShell script that downloads and dynamically executes .NET DLLs in memory. There is no disk footprint during attack execution and the injection is entirely memory-based.

In direct quotes from the report: “OSB (CIA) chose Windows PowerShell as the execution vector because it is installed by default on all Microsoft operating systems since Windows Vista and it runs as a trusted, Microsoft-signed process. RickyBobby can be installed remotely or with physical access to the target computers using batch files.”

An additional non-malware tactic included in the report was the leveraging of Windows Management Instrumentation (WMI) for persistence.

The usage of PowerShell and WMI during attacks aligns with what Carbon Black research has uncovered. According to our research, instances of non-malware attacks leveraging PowerShell and Windows Management Instrumentation (WMI) grew throughout 2016. Such attacks spiked by more than 90% in the second quarter (+93.2%) and have stayed at escalated levels since.


Another interesting component to the report was the “Fine Dining” menu offered to CIA officers. The list includes several non-malware attack techniques to select among.


A key thing to consider with these latest leaks is that there will always be new vulnerabilities and new techniques. The key for leading security vendors (and the community as a whole) is to quickly remediate them globally.

For consumers and businesses, we need to look more closely at the devices we purchase and always consider the security capabilities in terms of locking down our data.

When it comes to protecting businesses from non-malware attacks, legacy antivirus simply doesn’t cut it. Many current endpoint security solutions (such as traditional AV and machine-learning AV) do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.

Traditional AV and machine-learning AV are designed to only identify threats at a single point in time – when a file is written to disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved – as is the case with non-malware attacks.

If the goal of an attack is to gain a foothold or exfiltrate valuable data, then non-malware attacks accomplish this goal without fear of detection, especially when organizations are relying on legacy AV and machine-learning AV.


To learn more about how to defend your organization from non-malware attacks, join us at the upcoming webinar: “Beyond AV Webinar: Cb Defense in 20 Minutes.”

TAGS: Carbon Black / CIA / Non-Malware Attacks / WikiLeaks