Today, WikiLeaks publishes the third installment of its Vault 7 CIA leaks. We’ve already had the Year Zero files which revealed a number of exploits for popular hardware and software, and the Dark Matter batch which focused on Mac and iPhone exploits.
Now we have Marble to look at. A collection of 676 source code files, the Marble cache reveals details of the CIA’s Marble Framework tool, used to hide the true source of CIA malware, and sometimes going as far as appearing to originate from countries other than the US.
The source code for Marble Framework is tiny — WikiLeaks has provided it in a zip file that’s only around 0.5MB. WikiLeaks explains that the tool is used by the CIA to hide the fact that it is behind malware attacks that are unleashed on targets:
Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.
Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivalent of a specialized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.
Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code.
Analysis of the source code shows that the CIA is not only trying to hide its tracks, but goes as far as trying to pin the blame for malware attacks on other nations. The code includes Chinese, Russian, Korean, Arabic and Farsi language examples, indicating that the CIA has engaged in clever games of hide and seek:
This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion — but there are other possibilities, such as hiding fake error messages.
Thus far, the Vault 7 leaks have been met, largely, with derision. The majority of the exploits revealed are either for software that is so old as to be considered obsolete, or it has already been patched. Experts are yet to weigh in on whether there is actually anything interesting to be garnered from the Marble release, but history should probably indicate there’s no need to get too excited just yet. WikiLeaks does suggest that Marble was in use as recently as 2016, but provides no evidence to back this up.
Image credit: Sylvie Corriveau / Shutterstock