WikiLeaks has released its third trove of documents from the Vault 7 series on Friday (31 March) exposing a secret anti-forensic tool used by the CIA to mask its cyberattacks. The latest release features 676 source code files for the CIA's secret anti-forensics "Marble Framework" used to prevent investigators and anti-virus firms from attributing viruses, trojans and other hacking attacks to the agency.

These anti-forensic tools, allegedly used by the CIA in 2016, use "obfuscation" techniques to hide fragments of text in CIA-developed malware from detection. Obfuscators or packers are used to scramble the malware code making it difficult for both humans and programs to understand what it is or attribute it to a specific source.

"This is the digital equivalent of a specialized CIA tool to place covers over the English language text on US produced weapons systems before giving them to insurgents secretly backed by the CIA," WikiLeaks wrote in its release.

The whistle-blowing agency said Marble forms part of the CIA's Core Library of malware code and its anti-forensic approach.

According to WikiLeaks, Marble is designed to "allow for flexible and easy-to-use obfuscation" since string obfuscation algorithms are "often used to link malware to a specific developer or development shop".

The organisation, founded by Julian Assange, said the Marble source code includes a de-obfuscator used to reverse CIA text obfuscation in order to hide the attack origin as well.

"Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA," WikiLeaks said.

WikiLeaks says the source code also includes test samples in English as well as Chinese, Russian, Korean, Arabic and Farsi.

"This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese," WikiLeaks said. This could lead forensic investigators to the wrong conclusion, the group said, adding that there are "other possibilities such as hiding fake error messages" as well.

However, some experts noted that although the framework does include tools to add foreign languages to the malware code, they seem to be for obfuscation purposes rather than to mis-attribute or frame another nation or actor. Others pointed out that the Russian and Arabic sample text were essentially gibberish.

Nicholas Weaver, a researcher with the International Computer Science Institute at the University of California at Berkeley, said releasing the CIA packer "seems designed to disrupt ongoing CIA operations, but not help anyone else."

"If they are what they purport to be... this is one of the most damaging releases ever done by WikiLeaks", Weaver said in a statement. "At the same time, this is only in the 'public interest' if you believe that disrupting CIA operations for the sake of disrupting CIA operations is your 'public interest.'"

Obfuscators and packers are a standard tool for malware writers to make their old malware code appear new to an antivirus system that can easily be purchased on underground forums, he said.

CIA
WikiLeaks has released a third trove of documents highlighting the CIA's wide-ranging cyberspying capabilities and hacking tools REUTERS/Dado Ruvic

By releasing the purported CIA's packer publicly, Weaver said WikiLeaks essentially provides a framework for detecting CIA malcode and forces these companies to recognise and block it. He adds that "they practically guarantee that a bunch of digital miscreants will start using it as well, because 'hey, a CIA packer for my malcode, cool!'"

The latest leak comes as the third in a series of "Vault 7" leaks highlighting some of the CIA's wide-raging cyberspying and hacking capabilities and tools. Described as the "largest ever publication of confidential documents on the agency", the material allegedly came from an "isolated, high-security network" located inside the CIA's Center for Cyber Intelligence in Langley, Virginia.

In March, WikiLeaks leaked thousands of documents describing the agency's capabilities and tools used to snoop on a wide range of devices including Apple's iPhone, Google's Android, Microsoft's Windows, Samsung TVs and Cisco routers among others. The second release titled "Dark Matter" purportedly contained documentation for several CIA projects created to target Apple Macs and iPhones.