OutlawCountry Is CIA's Malware for Hacking Linux Systems
The leaked user manual — dated 04 June 2015 — details a kernel module for Linux 2.6 that allows CIA operatives to divert traffic from a Linux machine to a chosen destination.
Shell access and root privileges are needed to install OutlawCountry, meaning CIA operatives must compromise machines via other means before deploying this malware strain.
OutlawCountry redirects outgoing Internet trafficOutlawCountry uses the built-in packet filtering tools available in Linux, such as netfilter or iptables. An operative can
When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed.
OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x. This module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.
An effective tool for spying on Linux serversOutlawCountry can be used for both servers and regular desktops, as it allows a CIA operative to redirect the target's traffic to proxy servers under the CIA's control and sniff the user's Internet habits or mount other attacks.
Obviously, more damage can be done if OutlawCountry is installed on a server, allowing an operative to sniff traffic from many users at once.
The leaked OutlawCountry manual includes an MD5 hash for one of the kernel modules (nf_table_6_64.ko): 2CB8954A3E683477AA5A084964D4665D.
The default name for the hidden netfilter table is: dpxvke8h18.
Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps: