On Wednesday, June 28, WikiLeaks published another portion of the secret documents of the CIA in the framework of the Vault 7 project. The site has a 42-page instruction on the use of the ELSA tool, which allows users to monitor Windows-enabled devices based on Extended Service Set (ESS) data or the nearest Wi-Fi networks.

According to the instructions, the malware configuration ELSA is configured based on the environment of the attacked target using the PATCHER wizard, which generates an ELSA payload (a simple DLL file). Environment variables include the architecture of the attacked computer (x86 or x64), the desired mode (dllhost, svchost, rundll32 or appinit), the desired provider (Microsoft / Google), the desired maximum registry file size, etc..

After configuring the configuration, the CIA operative infects the ELSA attacked Windows-enabled device with Wi-Fi support. Because the tool is malware, additional programs and exploits are required to install it on the attacked system.

Installed on the system, ELSA begins to collect data on Wi-Fi access points based on the schedule set by the operative. Data collection is possible even if the user is disconnected from the Wi-Fi network. The worm scans the nearest wireless networks, collects unique ESS data (MAC address, SSID and signal strength) and stores them in a local file encrypted with the 128-bit AES encryption key.

When a user connects to the Internet, ELSA takes the collected data and accesses third-party databases to obtain location information. ESS information is geo-referenced, so it is possible to determine where the target is located.

Further, the operative is connected to the target system and using the tools used to install the ELSA on the computer, they gain access to the malware log. The received data are deciphered and analyzed.