Your Source for Leaks Around the World!

UNITEDRAKE: The Shadow Brokers Leak NSA Malware Manual from August Dump

In Archive, Hacking, NSA, Shadow Brokers on September 7, 2017 at 12:11 PM

PDF (2MB)

The Shadow Brokers – the hacker group behind the ongoing leaks of NSA tools and exploits – released their September 2017 communique yesterday. In it they detail upcoming prices and changes to their monthly dump service, stating the leaks will now be semi-monthly continuing until at least November 15, and that September’s will contain exploits.

More interestingly for non-subscribers, at the bottom of the post is a MEGA link containing “Files, Signed Message, Manual to August Dump.” The manual – titled “UNITEDRAKE Version 4.6.1” – appears to have been altered by an open source graphics program and then re-saved as a PDF. Classification markings have been removed and the company listed on the manual is fake.

UNITEDRAKE is a modular malware described as a “fully extensible remote collection system designed for Windows targets.”

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information, with clients planted on target machines that send information to a server over the internet.

The existence of UNITEDRAKE first came to light in 2013 as part of a series of classified NSA documents leaked by Edward Snowden and in a catalog of NSA hacking tools leaked by a second source, which revealed it was used by the NSA alongside other pieces of malware to infect millions of computers around the world.

By using “plugins”, UNITEDRAKE can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

via emptywheel:

The way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In 2015 cybersecurity and anti-virus provider Kaspersky released a report on the “Equation Group”, who The Shadow Brokers originally attributed the leak to and has been tied to NSA’s Tailored Access Operations (TAO) elite hacking unit. Kaspersky discovered UNITEDRAKE malware – which they dub EQUATIONDRUG and GRAYFISH in their report – on customer machines in over 30 countries including Iran, Russia, China, US, and UK, in sectors ranging from government, military, finance, energy, and media.

OTHER CODENAMES IN UNITEDRAKE MANUAL:

FOXACID

PUZZLECUBE

BLUISHDEFER

SOLARTIME
JUSTVISITING
FOGGYBOTTOM
SALVAGERABBIT
WISTFULTOLL (ANT Catalog)
INFOSPYDER
KILLSUIT
SQUASHCHUNKY
THERMALDIFFUSION
WHITESPYDER

BEIGETHICKET
DAYTONSUNDAY
GROK
KRISPYKREME
NETPSPYDER
STOWAGEWINK
SULPHURWRITE

FLEWAVENUE

HEAVENSLEW

FELONYCROWBAR

DOGROUND

DICEDEALER

  1. […] Fonte: UNITEDRAKE: The Shadow Brokers Leak NSA Malware Manual from August Dump | LeakSource […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: