KEYSTONE?

Angelfire

31 August, 2017

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).

Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.

Keystone is part of the Wolfcreek implant and responsible for starting malicious user applications. Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran. It always disguises as "C:\Windows\system32\svchost.exe" and can thus be detected in the Windows task manager, if the operating system is installed on another partition or in a different path.

BadMFS is a library that implements a covert file system that is created at the end of the active partition (or in a file on disk in later versions). It is used to store all drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning. Some versions of BadMFS can be detected because the reference to the covert file system is stored in a file named "zf".

The Windows Transitory File system is the new method of installing AngelFire. Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc. Transitory files are added to the 'UserInstallApp'.

On July 18, 2013, Investigative Journalist Michael Hastings, the man who single-handedly brought down one of the most powerful men in the military with his reporting,521 died in a fiery car crash in Los Angeles.

Suspicious circumstances of his death immediately began streaming in. For example, Hastings had contacted the Wikileaks lawyer just hours before his death worried that he was being followed by the FBI.

The next day, an email that Hastings had sent to colleagues was released, titled 'FBI Investigation re:NSA'. It stated: “I'm on to a big story, and need to go off the radar for a bit.”

In a 2012 interview, Hastings revealed that he had received numerous death threats from recent investigative reporting. “Yes. Every once and awhile, I'll get a death threat from someone–like, 'if we don't like what you write, we'll hunt you down and kill you' kind of thing.”

The autopsy report found that neither drugs nor alcohol played a role in the crash. Why, then, have witnesses described Hastings' vehicle, a Mercedes C250 (a car not prone to bursting into flames) traveling at full speed down a suburban road, crossing a red light and then skipping over a median into a tree, exploding? Security footage from a gas station caught the speeding, the crash and the explosion, confirming the eyewitness testimony.

“Hastings was intensely interested in government surveillance of journalists. In May, the story broke about the Department of Justice obtaining the phone records of Associated Press reporters. A couple weeks later, Edward Snowden's revelations about the National Security Agency's massive surveillance program became public. Hastings was convinced he was a target….

One night in June, he came to Thigpen's apartment after midnight and urgently asked to borrow her Volvo. He said he was afraid to drive his own car. She declined, telling him her car was having mechanical problems.

"He was scared, and he wanted to leave town," she says.

The next day, around 11:15 a.m., she got a call from her landlord, who told her Hastings had died early that morning. His car had crashed into a palm tree at 75 mph and exploded in a ball of fire.” – LA Weekly

The type of cyber attack that could have taken control of Hastings' vehicle is very real, confirmed by independent hackers to a Forbes journalist in a demonstration, and by the government itself, in a presentation by DARPA, the Defense Advances Research Projects Agency

.

Rest in peace Michael Hastings, and to each and every victim of the Pathocracy. We will pick up where you left off.

>>678044

>>678119

REX TILLERSON?

>>678189

something big about to pop off tomorrow!

something is coming back into the news cycle I think.