Backdoor.Athena

Backdoor.Athena appears to be a tool created for the Windows and Linux operating systems’ exploitation. The tool is said to be developed by CIA and Siege Technologies. Its existence became known to Internet users when a well-known site called WikiLeaks uploaded documents containing information about the malicious application, such as Athena v1.0 User Guide, Athena Technology Overview, Athena (Design), and so on. Based on them it seems Backdoor.Athena has quite a few capabilities, for example, a beaconing ability. If you are interested in learning more about this application we recommend reading the rest of the article as further in it we will explain how this malware works, what it might be used for, and other important details alike. However, for even more information on this malicious application, you could read the documents shared by WikiLeaks.

According to the AthenaTechnologyOverview.pdf (https://wikileaks.org/vault7/document/AthenaTechnologyOverview/AthenaTechnologyOverview.pdf) Backdoor.Athena “is a beacon loader developed with Siege Technologies. It runs in user space and beacons from the srvhost process.” Further, the same paper explains the Trojan is using two unique tools called Athena-Alpha and Athena_Bravo. Apparently, Athena-Alpha uses RemoteAccess service to find an IP support DLL titled iprtrmgr.dll. By doing so, the implant gets loaded into srvhost every time the mentioned service starts. As for the Athena-Bravo tool, it uses a different service known as Dnscache and a DLL file called dnsext.dll to load the implant into srvhost too. Once these tasks are completed, it is said the implant should load DLLs into the running process. There are four DLLs to be more precise, although three of them are converted to an AXE format.

The Host.dll merely is dropped to disk, and all it does is loads Backdoor.Athena into memory. Next, is the engine DLL (Engine.AXE) that is loaded once by the Host.dll. It enables the following functions: encryption, compression, data masking, hashing, string masking, data package, and state file logic. If needed it performs tasks like unloading or uninstalling. The third DLL is called Command.AXE. It is responsible for beaconing the server, processing the command, and signaling the engine to upload it from memory. The last DLL is known as Uninstall.AXE and as you probably already guessed its task is to uninstall the implant. This is a brief explanation of how the malware works or how it functions. As for its capabilities, we found information about it in the Athena-v1_0-UserGuide.pdf (https://wikileaks.org/vault7/document/Athena-v1_0-UserGuide/Athena-v1_0-UserGuide.pdf).

As the mentioned paper explains Backdoor.Athena has five main capabilities. The first one is to execute on the various Windows and Linux operating systems. Also, the malicious application “Provides a beaconing capability that provides configuration and task handling.” The third capability is to provide a memory loading or unloading on the targeted system. What’s more, the Trojan should be able to provide “delivery and retrieval of files to/from a specified directory on the target system.” The last function is allowing the operator to configure settings while the implant is still on the targeted system.

To put it more simply, this Trojan could be used to gain access to a system, steal sensitive information, install other tools on it, and so on. Needless to say, all of these actions can be done silently and without raising any suspicion, which makes Backdoor.Athena a powerful tool for exploiting both Windows and Linux operating systems. Nevertheless, it is important to mention the tool was most likely created to help CIA stop various attacks from cybercriminals. In other words, we doubt such a tool might be used on individual computer users. After all, our researchers could not find even a single sample to test the malware and see how it works from close. Therefore, this time we will not add any removal instructions. In fact, even if the malicious application was distributed among users, instead of eliminating it manually we would recommend using a reliable antimalware tool since dealing with such infection on your own could be too complicated.