The WikiLeaks has released some information and source code for a framework which is allegedly used by U.S. Central Intelligence Agency (CIA) for making an analysis of their tools and attribution even more difficult.
The WikiLeaks organisation on this Friday made 676 source code files of the Marble Framework public. According to them, version 1.0 of this framework was released back in 2015, and CIA has continued using it ever since.
The files which appear to be part of this official Marble Framework documentation describe that as a framework “designed to allow for more flexible and easy-to-use obfuscation when developing various tools.” These types of techniques are used by many malware developers to hinder the researchers.
During the first round of Vault 7 files released by the WikiLeaks, the information shows that the CIA has learned from the NSA’s mistakes after intelligence agency’s Equation Group was exposed by various security researchers. The CIA employees have apparently determined that use of some custom cryptography is one of NSA’s biggest mistakes, as it has allowed the researchers to link various pieces of malware to same developer.
This Marble framework allowed obfuscation of a tool using some random technique to prevent the security vendors and forensics investigators from linking it to a specific developer. Thee marble users can also select algorithm they want to use or just configure the application to omit a certain algorithm.
Charles R. Smith, the CEO of Softwar Inc, pointed out that the Marble leverages the Bouncy Castle cryptography APIs.
During their analysis of the Marble source code, the WikiLeaks found some test examples written in Russian, Chinese, Arabic, Korean and Farsi, which suggests that the agency may have used the framework to trick investigators into believing that its tools were developed by individuals speaking one of these languages.
The source code files made available by WikiLeaks also include a deobfuscation tool.