14 DAY TRIAL // WikiLeaks dumped another part of its Vault 7 data trove on CIA's espionage tools and this time it's a tool called Marble, which is a code obfuscating framework.
"Marble is used to hampering forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," WikiLeaks writes in its release. Experts, however, don't really agree with this description.
For instance, Jake Williams, Rendition Infosec founder, took to Twitter to say that after 30 minutes spent on reviewing the available code, he "emphatically disagree[s] with [WikiLeaks] assertion that Marble is used for false flag ops."
What does he believe it is? Well, just a string obfuscation library. Williams believes it is an interesting piece of code, but not in the sense that it would allow for cyber false flag. "The Chinese and Russian examples noted by WL only show that the tool was tested for Unicode support, nothing more," he says.
The expert refers to WikiLeaks' assessment that the source code indicates Marble has test examples not just in English, but also Chinese, Russian, Korean, Arabic and Farsi, which would allow agents to pretend that the spoken language of the malware creator was not American English, but Chinese, which would lead them to believe it was created by a completely different team.
Less complicated
What Marble actually is, it seems, is an obfuscation utility, like many other similar tools available on the malware market. Its role is to scramble the code so human operators can't read it and antivirus engines can't assign it to a known malware family.
The third data release from WikiLeaks also contains source code for a "deobfuscator" to reverse the CIA text obfuscation.
The Marble tool was being put to use by the CIA as recently as the end of 2016.