CIA malware targeting all Windows versions

ransomware Hacker

As if WannaCry ransomware was not enough, this weekend WikiLeaks has revealed an exploit being used by the CIA against any Windows version out there and capable of taking control of the targeted system.

Codenamed Athena, the CIA project has the ability to compromise absolutely any Windows version on the market, starting with Windows XP and ending with Windows 10. It also provides attackers with capabilities like deploying other malware and access to local files should they want to drop certain data on the drives.

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system. It allows the operator to configure settings during runtime (while the implant is on target) to customize it to an operation,” WikiLeaks says.

This basically means the CIA can pretty much have full control of a Windows system, retrieve any data from the target computer and upload it to its own servers. Athena was created in August 2015, which means the CIA got its hand on the exploit only a month after the launch of Windows 10 in July the same year.

The malware in question was developed by the CIA as a part of its collaboration with a US-based company called Siege Technologies and which describes itself as a cyber security company that is focused on “offensive cyber-war technologies”.

Project Athena was developed from the very beginning to bypass antivirus systems, with the CIA documentation including references to widely popular solutions, which according to the agency cannot block the exploit.

“The installation will hijack the dnscache service,” the user manual of Athena reveals. “On Windows 7 and 8, this service is running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs as NetworkService. The NetworkService user context has reduced security capability on the system. Due to srvhost implementation, the service will only run in the netsvcs context at next reboot. To account for this deficiency and still provide immediate execution after installation, the existing service will run as NetworkService until next reboot at which time the System user netsvcs will be engaged.”

It is however, not clear if Microsoft has already delivered patched against the exploit.