CIA’s Pandemic uses ‘bait and switch’ to rapidly infiltrate local networks

On the 1st of June 2017 Wikileaks released documentation of a tool called ‘Pandemic’, as part of their Vault 7 series of retrieved CIA exploits.

Pandemic mimics a Windows file server when it has been installed on a computer in a network. When another computer in the network tries to read a file from the ‘patient zero’ computer, Pandemic instead serves them a ‘Trojaned’ version of the file that they are trying to access, containing within it snippets of malicious code.

This allows the CIA to rapidly infect computers within a specific network. It is considerably more efficient than the CIA’s preferred method of creating backdoors in popular devices, which exposes the general public to exploits that often end up in the hands of malicious agents.

Think of it as a surgically precise drone strike to contrast the rest of their arsenal of heavy-duty nuclear weaponry.

Most offices use an intranet system as a vital part of their IT infrastructure, with a central server distributing shared files to individual computers via a protocol known as Server Message Block (SMB). This suggests that the CIA created Pandemic to infiltrate a corporate environment, but we currently have no knowledge of how the exploit was utilised.

Jake Williams, a malware expert at Rendition InfoSec, told blog Ars Technica:

‘This code looks like it was developed with a very specific use in mind. Many larger organizations don’t use Windows file servers to serve files. They use special built storage devices (network attached storage). My guess here would be that this was designed to target a relatively small organization’

Pandemic is effectively a Trojan variant of the Windows minifilter device driver. This means that in order for the software to be installed on a ‘patient zero’ computer without being flagged as inauthentic, it would have to possess a valid Windows digital certificate.

This leaves two options for implementing the software without being flagged as a virus: a Windows digital signature would have to be obtained illegally i.e. bought fraudulently or stolen, or the CIA have developed some other software that is capable of circumventing Windows code-signing requirements.

I currently haven’t seen any CIA documentation proving that they have the capability of duping the Windows digital verification system, which suggests that they instead fraudulently obtained a Windows certificate for their Pandemic exploit.

See the documentation overview for Pandemic below:

Wikileaks Decrypted | Vault 7 | Pandemic