Wikileaks released the third installment of its Vault 7 series of CIA leaks on Friday. The latest tranche of leaks, dubbed "Marble," focuses on a secret anti-forensic tool called "Marble Framework" that the CIA used to hide the source of malware it deployed on targets.
As part of the latest leak, WikiLeaks released 676 source code files for the Marble Framework which was mainly designed to make the CIA malware harder for forensic investigators and anti-virus companies to analyse. Therefore, it hampered attribution of viruses, trojans and other hacking attacks to the federal agency.
How did it function?
Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.
Marble, which was in use at the CIA during 2016, is part of the CIA's anti-forensics approach as well as its Core Library of malware code, according to WikiLeaks. It was designed to facilitate "flexible and easy-to-use obfuscation" as string obfuscation algorithms, especially the unique ones, are generally used to attribute malware to "a specific developer or development shop."
RELEASE: CIA Vault 7 Part 3 "Marble" -- thousands of CIA viruses and hacking attacks could now be attributed https://t.co/MfNtlwEoZS #Vault7 pic.twitter.com/2SVNR3v7Ll
— WikiLeaks (@wikileaks) March 31, 2017
Analysis of the source code reveals that the Marble Framework had one special feature that helped the CIA frame other nations for the malware attacks it carried out. The feature allowed virus writers to pretend that the malware was created by someone who speaks various foreign languages like Chinese, Russian, Korean, Arabic and Farsi – languages that are spoken in major cyber-enemies of the US, including China, Russia, North Korea and Iran.
This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.
According to WikiLeaks, the Marble source code also includes a "deobfuscator" to reverse CIA text obfuscation, which means translating text strings back to English.
WikiLeaks could release Marble's source code files because the tool doesn't contain any vulnerability or exploits, and the CIA used it only to hide its tracks. Although Julian Assange, the founder of the anti-secrecy group, had earlier promised to supply details of the CIA hacking tools to tech companies, all the exploits from earlier releases have been held back so far.
Friday's release of Marble source codes followed the previous releases – the Year Zero files on March 7 that described a number of security exploits for popular hardware and software, and the Dark Matter batch on March 23 that contained documents for several CIA projects that were claimed to have infected Apples Mac and iPhones.
Check out WikiLeaks' online press conference on March 9 from the Ecuadorean embassy in London: