WikiLeaks has been fairly steadily releasing documents from what is known as the “Vault 7” leaks, and now documentation has been released about a tool known as “Aeris” which specifically targets POSIX systems such as a couple GNU/Linux Distributions.
Posted on WikiLeaks yesterday, was information regarding the “Imperial” project of the CIA,
Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication.
It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.
This article will be focusing specifically on Aeris however.
What is it?
Aeris appears to be an implant that is designed to allow an agent to retrieve and send information about the infected system through TLS encrypted channels.
There are multiple avenues for information transmission such as mail systems like Postfix, that allow the agent to send heavily encrypted information to the designated destination in a virtually unbreakable fashion using AES256 encryption.
What systems are targeted?
- Debian Linux 7 (i386)
- Debian Linux 7 (amd64)
- Debian Linux 7 (ARM)
- Red Hat Enterprise Linux 6 (i386)
- Red Hat Enterprise Linux 6 (amd64)
- Solaris 11 (i386)
- Solaris 11 (SPARC)
- FreeBSD 8 (i386)
- FreeBSD 8 (amd64)
- CentOS 5.3 (i386)
- CentOS 5.7 (i386)
The distribution of Aeris consists of a set of Python utilities and a set of binaries, one per platform that is targeted by Aeris.
Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the
desired directory. Rename the binary in any way that you wish. Note that the configuration
is patched in at build time; hence, no additional files (beyond possibly…