WikiLeaks Dumps Source Code of CIA Tool Called Marble

[CrAKeN]

 

WikiLeaks dumped yesterday the source code of a CIA tool called Marble, which according to previously leaked CIA manuals, the Agency classified as a code obfuscation framework.

 

The WikiLeaks dump conveniently came a day after the Senate's open hearing on Russian election interference.

 

Marble is not a tool for planting false flags

Many news agencies incorrectly reported that Marble allows CIA's operators to plant false flags inside the malware they create thanks to a feature that inserts code comments written in various languages such as Chinese, Russian, Korean, Arabic, and Farsi.

 

In reality, the Marble framework is a banal code obfuscation utility, like many other tools on the malware market.

It's role is to scramble code so human operators can't read it and antivirus engines can't assign it to a known malware family. Nothing more.

 

Marble is a banal code obfuscator

"Based on less than 30 minutes of code review, I emphatically disagree with the [WikiLeaks] assertion that Marble is used for false flag ops," wrote on Twitter Rendition Infosec founder Jake Williams.

 

"The [Marble] framework is just a string obfuscation library. It IS interesting, but not in the sense that it would allow for cyber false flag," the expert added. "The Chinese and Russian examples noted by WL only show that the tool was tested for Unicode support, nothing more."

 

 

In the first batch of leaked CIA files, the ones containing CIA manuals and wiki pages, CIA operatives described Marble as follows:

 

Quote

The Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools. When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop. This framework is intended to help us (AED) to improve upon our current process for string/data obfuscation in our tools. [...] The framework allows for obfuscation to be chosen randomly from a pool of techniques. These techniques can be filtered based upon the project needs. If desired, a user may also, select a specific technique to use for obfuscation.

 

The framework also includes a deobfuscation component for reverting the scrambled code to a readable version when operators need to make changes to the malware's soruce code.

 

According to WikiLeaks, the Marble framework reached v1.0 in 2015, and was used as late as 2016. The Marble source code is available for download from here and the documentation page is here.

 

Source

[steven36]

This is funny because there forcing AVs to have to block it because others may use it now.
 

Quote

The source code is for a tool called "Marble," what is known as an obfuscator or packer.

Now, Weaver said, WikiLeaks is forcing antivirus companies to block the CIA packer because, by releasing it publicly,  "[t]hey practically guarantee that a bunch of digital miscreants will start using it as well, because 'hey, a CIA packer for my malcode, cool!'" Weaver said.

 

 

Really we dont know if  the CIA still uses this packer or not but im sure they find a new one soon were AV want pick up.  if  they haven't already. But now .Marble will be detected by antivirus programs.

[steven36]

 

Quote

 

WikiLeaks' false flag attack allegations against CIA unfounded

Another set of documents from the Vault 7 CIA cache was released by WikiLeaks but experts say the allegations of false flag attacks are unfounded and dangerous.

 

 

WikiLeaks promised more documents from the CIA Vault 7 stockpile and the latest batch shows evidence of the CIA using obfuscation techniques to hide its cyber operations. However, experts say WikiLeaks went too far with allegations of false flag attacks.

 

The latest Vault 7 release, named "Marble," includes 676 source code files for the CIA's Marble Framework, which WikiLeaks describes as anti-forensic code used "to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA."

 

Hector Monsegur, director of assessments at Rhino Security Labs, said he wasn't surprised by these obfuscation techniques.

 

"They use obfuscation techniques in the real world. CIA agents have been known to create fake identities, learn new languages, get suntans and wear makeup. It's the same concept," Monsegur told SearchSecurity. "The more sophisticated and targeted the attack is, the higher level of obfuscation you will see. And, if an attacker is focusing on a specific target, they would employ obfuscation to bypass filters, anti-malware or virus signatures, etc."

 

However, experts said WikiLeaks went too far in alleging this data included evidence that the CIA was performing cyberattacks intended to be blamed on other agents, also known as "false flag attacks."

"The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi," WikiLeaks claimed in a blog post. "This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages."

 

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said on Twitter that he reviewed the code and disagreed "emphatically" with the assertion that Marble included evidence of false flag attacks.

 

"The Marble Framework is just a string obfuscation library. It is interesting, but not in the sense that it would allow for cyber false flag," Williams tweeted. "The Chinese and Russian examples noted by WL only show that the tool was tested for Unicode support, nothing more. [The] Marble Framework tests show that Russian strings could be obfuscated from plain view. The opposite of what you'd want for false flag [attacks]."

 

Nicholas Weaver, computer security researcher at the International Computer Science Institute in Berkeley, Calif., agreed the false flag attack allegations were unfounded and told SearchSecurity this was an example of WikiLeaks taking advantage of "not having been known to release fake documents as a way of laundering their bogus analysis."

 

And THIS is the point: Wikileaks wants the CIA to be attributed. Only "public" they serve in this dump is those targeted by the CIA. ��‍♂️ https://t.co/mZmTYrvLow

— Nicholas Weaver (@ncweaver) March 31, 2017

Williams said this could be troublesome because "WikiLeaks is not interested in getting it right."

 

"If they were, they'd enlist the help of real experts before release of the material. As it stands they control the narrative at release time and everyone else is playing catch up," Williams said. "I think the allegations that the CIA is involved in false flag attacks serves to reassure Trump supporters, many of whom deny the Russians were involved in pre-election hacking."

 

 

http://searchsecurity.techtarget.com/news/450416071/WikiLeaks-false-flag-attack-allegations-against-CIA-unfounded

 

[humble3d]

SO, THEY LOST THEIR MARBLES ??