> That feels like a bold claim to make without any references
"Marble Framework"[1], Wikileaks' Vault 7:
> Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. [...] The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion
That's the description, but looking over the technical documents doesn't really correspond to what is claimed. From my reading it looks like it a tool that replaces some of the strings at runtime? Why is this even needed? Wouldn't it be more straightforward to not use natural language strings at all, or swap it out at the preprocessor level?
"Marble Framework"[1], Wikileaks' Vault 7:
> Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. [...] The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion
* * *
[1] https://wikileaks.org/vault7/#Marble%20Framework