The Shadowbrokers - September 2017 announcement reveals UNITEDRAKE (and many other NSA code names)

The shadow brokers‍ are back this month with a new dump you can get access to with Zcash only.

Changes to Dump Service:

• Two dumps per month
• Zcash only, no Monero, delivery email in encrypted memo field
• Delivery email address clearnet only, recommend tutanota or protonmail, no need exchange secret, no i2p, no bitmessage, no zeronet
• Previous dumps now available, send correct amount to correct ZEC address
• September dumps is being exploits

This month, the two monthly dumps (changed from one) are exploits it seems.

There is a new page on Mega where you can download the dumps, and should you happen to have the right key, or an exploit for PGP, then you can probably see what's inside:

https://mega.nz/#F!QGAyVTJL!0cJlvWpQ4dPcKLu-oN766w

In this link there is one file we can immediately access - the manual_to_august_dump.pdf. This seems to be a manualto software called UNITEDRAKE‍ created by Contact Sw, Inc. - contactsw.com.

UNITEDRAKE (UR) is a fully extensible remote collection system designed for Windows targets. This manual, which is geared for the system's operators and administrators, describes the following

1. How the system functions.
2. How the system is installed.
3. How the system is administered/maintained.
4. How the system is operated via the system management interface (SMI).

UNITEDRAKE is a system that both contains implants and the infrastructure used to operate remote implants with minimal operator interaction. There is information about it such as install files: URServer_win32_4.06.xx.xxxx_setup.exe, ur.sys - which makes me immediately think of shodan‍, where it could be possible to search specifically for URservers?

I don't know if this is useful: "The HTTP2 key contains an additional value: StegoPercent - The default value is 25".

UR comes with a nice target overview - the Target Pane:

Note the reference in this picture to Foxacid - previously covered online by for example Bruce Schneier here:

Foxacid is a tool to deanonymize Tor users and is used for the Quantum insert‍ technology (wired piece)

Another few tools are mentioned further down in the manual:

In this screenshot you will notice "FlewAvenue version" and "Soggybottom2" plus an incomplete name starting with "Salv", plus the tool tipoff which is part of UNITEDRAKE it seems. Neither FlewAvenue or Soggybottom2 have any mentions online that I can find.

Self destruct functionality:

The Implant Self Destruct functionality is used to remove the UNITEDRAKE client (versions 4.5.x and later) from the target. This command will remove all components of UNITEDRAKE. Components loaded in memory will still be present until the target reboots. This command will have a status of FAILED in the Queue, with UR ConnectionAborted. For additional information see Section 7.8

Then even more code names drop:

The Remote Modules control allows the operator to get the status of the UNITEDRAKE client on the target machine, load new modules, and unload existing ones. URClient versions 4.7.x and later will display the persistence method used as the Remote File Name for the Killsuit Persistence Identifier (KSLA for loader, SOTI for SOLARTIME, or JUVI for JUSTVISITING).

Here we have code names "loader", "SOLARTIME", and "JUSTVISITING" plus in the following screenshot more:

This screenshot gives us the code names:

• WistfulToll
• WhiteSpyder
• ThermalDiffusion
• SquashChunky
• KillSuit
• InfoSpyder
• and from the tab names
• SalvageRabbit

The next screenshot adds even further implant modules:

New code names from this:

• SulphurWrite
• StowageWink
• NetSpyder
• KrispyKreme
• Grok
• DaytonSunday
• BeigeThicket

The manual contains something about key munging‍, an expression I've never before heard but which seems to be a registry based obfuscation of configured communication ports.

There is also a code name for a tool that seems able to hide all traces of implant installation upon uninstallation:

DOGROUND_Logging.exe and Uninstaller_Logging.exe can be used in place of DOGROUND.exe or Uninstaller.exe if one wishes to have a record whether or not UNITEDRAKE installed or uninstalled successfully. The log file is a .tmp file created under :%SYSTEMROOT%\temp\~yh23931.tmp

That's it for now. Very interesting manual.