While the world was busy dealing with the massive WannaCry ransomware attacks, WikiLeaks quietly released its latest CIA Vault 7 dump. The whistleblowing platform's newest release contains the user manuals of two malware strains allegedly stolen from the CIA, dubbed AfterMidnight and Assassin.

According to the documents leaked by WikiLeaks, the malware was allegedly used by the spy agency to hack into systems and also allowed CIA spies to disrupt commonly used software programs such as PowerPoint. Both malware strains have allegedly been customised by the CIA to enable the agency's spies to remotely operate them.

What is AfterMidnight?

According to WikiLeaks, AfterMidnight "allows operators to dynamically load and execute malware payloads on a target machine". The tool essentially acts as a Windows Service DLL (Dynamic-link library) file, which functions as a backdoor. According to the user manual leaked by WikiLeaks, AfterMidnight communicates with its C&C (command and control) server to download three modules each of which has been designed to work collectively to surreptitiously infect users.

While one module allows data to be exfiltrated, another is used to subvert software and the third enables all modules to function together, providing internal services. AfterMidnight also contains a special payload called "AlphaGremlin" that comes with "a custom script language which allows operators to schedule custom tasks to be executed on the target machine".

CIA logo
The Central Intelligence Agency (CIA) logo is displayed in the lobby of CIA Headquarters in Langley, Virginia, on August 14, 2008.SAUL LOEB/AFP/Getty Images

According to the user manual, the tool allows the creation of malware that can prevent a victim from using his/her browser. The malware is capable of killing all Internet Explorer and Firefox executables every 30 seconds, which would essentially force the victim to spend more time at his/her workstation and allow attackers more opportunity to steal data.

AfterMidnight can also be used to create malware that "annoy the [...] target whenever they use PowerPoint (because, face it, they deserve it for using PP)". The user manual details how malware can be created to delay PowerPoint slides starting by 30 seconds and how nearly 50% of PowerPoint resources can be locked up every 10 minutes.

What is Assassin?

WikiLeaks also released the user manual for Assassin, a second tool allegedly used by the CIA. Assassin shares several similarities with AfterMidnight. This tool also acts as a backdoor and comes with a listening post and an intermediary between its C&C server and its malware implant. The malware implant allows for the exflitration of data from Windows PCs.