Wikileaks Vault 7: CIA's Pandemic tool now replaces files with malware
The tool is called Pandemic, which is capable of installing a file system filter driver on a network.
Wikileaks has released a new set of documents from its Vault 7 series, and this time it has detailed a tool that CIA allegedly uses to spread malware on a target organizational network.
The tool is called “Pandemic,” which is capable of installing a file system filter driver on a network, replacing legitimate files with malicious payload when they are accessed remotely with the help of Server Message Block protocol.
"Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the 'replacement' file," reads the tool's description.
This means it is difficult to identify affected systems. Since Pandemic replaces files while in transit, instead of modifying them on the device the malware is running on, the legitimate files remain unchanged.
The tool was designed to work on both 32-bit and 64-bit Windows systems. Pandemic initially gets installed on machines from which users download and execute files remotely. The files released by WikiLeaks indicate that up to 20 files can be replaced at a time, each with a maximum size of 800 Mb.
"As the name suggests, a single computer on a local network with shared drives that is infected with the 'Pandemic' implant will act like a 'Patient Zero' in the spread of a disease. It will infect remote computers if the user executes programs stored on the pandemic file server. Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets," WikiLeaks writes about the release.
There's information in the files even about how to check whether a system was infected with Pandemic. Security experts have also pointed out to this on Twitter.
(source)