WikiLeaks published new documents from what it calls the Vault 7 trove describing how the CIA targets Windows users. The files pertain mostly to Grasshopper, a framework used to build custom installation executables, and the agency’s use of the Carberp malware in its Stolen Goods persistence mechanism. This leak puts the spotlight on another of the CIA’s internal tools and on how it repurposes public malware to suit its own purposes.
Grasshopper’s user guide explains that it was used to build and execute custom malware. Operators could use various installers, target devices based on what version of Windows they use or what antivirus software is installed, and decide if the malware should create a log file when it’s run. This would theoretically improve the agency’s chances of compromising their target while reducing the odds of getting caught or affecting other people.