Date: 4 Feb 2019 Category :
Quick Reference Resources: WikiLeaks CIA Vault7 Leak – CouchPotato
CouchPotato enabled CIA agents to remotely use the tool to stealthily collect RTSP/H.264 video streams (RTSP/H.264: Real Time Streaming Protocol is a network control protocol designed for use in entertainment and communication systems and is a control mechanism for streaming media servers).
The tool provided CIA operatives with a number of options:
- Collect the media stream as a video file (AVI);
- Capture still images (JPG) of frames from the media stream;
- This function was capable of being triggered only when there was change (threshold setting) in the pixel count from the previous capture;
The tool uses FFmpeg to encode and decode video and images and Real Time Streaming Protocol connectivity. The CouchPotato tool works stealthily without leaving any evidence on the attacked systems facilitated by ICE v3 “Fire and Collect” loader.
This is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.
“Neither Wikileaks, nor the leaked user guide explains how the agency penetrates the attacked systems, but as many CIA malware, exploits and hacking tools have already leaked in the Vault 7 publications, the agency has probably used CouchPotato in combination with other tools.” – TAD Group
The 10th August 2017 WikiLeaks release overview:
“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.”
One document was published alongside this release: