Can RCS software plant evidence on a targeted computer to frame them?https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence/file.rb#L17Source code from the HT leak seems to indicate that the surveillance software used by Governments around the world, has this particular capability. This particular bit of code looks pretty interesting...
Line 14 appears to open a process, for example they use several of the most popular internet browsers:
process = hash[:process] || ["Explorer.exe\0", "Firefox.exe\0", "Chrome.exe\0"].sampleOn Line 17, it picks a path to the file, the examples are quite telling about what exactly this feature is for:
path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sampleStarting from Line 20 to 34, the program appears to generate meta data for a file including a time and date when it was created, and then writes it to the specified path selected above on Line 17:
content = StringIO.new
t = Time.now.getutc
content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')
content.write process
content.write [ 0 ].pack('L') # size hi
content.write [ hash[:size] || 123456789 ].pack('L') # size lo
content.write [ 0x80000000 ].pack('l') # access mode
content.write path
content.write [ ELEM_DELIMITER ].pack('L')
content.string
end
def generate_content(*args)
[content(*args)]
endSo now there should be a freshly planted file on the targets computer named, using HT's own example, bomb_blueprints.pdf, just ready and waiting for the Fed's to find. But its lacking any content, its simply an empty container file.
From line 36 to 61, it looks like content is the streamed in and then pieced together:
def decode_content(common_info, chunks)
stream = StringIO.new chunks.join
until stream.eof?
info = Hash[common_info]
info[:data] = Hash.new
info[:data][:type] = :open
tm = stream.read 36
info[:da] = Time.gm(*tm.unpack('l*'), 0)
info[:data][:program] = ''
info[:data][:path] = ''
process_name = stream.read_ascii_string
info[:data][:program] = process_name.force_encoding('US-ASCII') unless process_name.nil?
size_hi = stream.read(4).unpack("L").first
size_lo = stream.read(4).unpack("L").first
info[:data][:size] = size_hi << 32 | size_lo
info[:data][:access] = stream.read(4).unpack("l").first
file = stream.read_utf16le_string
info[:data][:path] = file.utf16le_to_utf8 unless file.nil?
delim = stream.read(4).unpack("L*").first
raise EvidenceDeserializeError.new("Malformed FILEOPEN (missing delimiter)") unless delim == ELEM_DELIMITERI'm not a coding expert, but this looks like a real nasty way for users of the software to plant evidence which according to the softwares own samples would be child porn and bomb blueprints, and then frame the target. and don't forget that the FBI is using this software...
