WikiLeaks has just published a new batch of the ongoing Vault 7 leak, and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
“If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp,” WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn’t beacon (transfer) this data to the agency’s server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
Last week, WikiLeaks dumped an alleged CIA tool suite for Microsoft Windows, dubbed Brutal Kangaroo, that targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Since March, the whistleblowing group has published 12 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches: