OutlawCountry Is CIA's Malware for Hacking Linux Systems
The leaked user manual — dated 04 June 2015 — details a kernel module for Linux 2.6 that allows CIA operatives to divert traffic from a Linux machine to a chosen destination.
Shell access and root privileges are needed to install OutlawCountry, meaning CIA operatives must compromise machines via other means before deploying this malware strain.
OutlawCountry redirects outgoing Internet traffic
OutlawCountry uses the built-in packet filtering tools available in Linux, such as netfilter or iptables. An operative can
When loaded, the module creates a new netfilter
table with an obscure name. The new table allows certain rules to be
created using the “iptables” command. These rules take precedence over
existing rules, and are only visible to an administrator if the table
name is known. When the Operator removes the kernel module, the new
table is also removed.
OutlawCountry v1.0 contains one kernel module for
64-bit CentOS/RHEL 6.x. This module will only work with default
kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT
rules to the PREROUTING chain.
An effective tool for spying on Linux servers
OutlawCountry can be used for both servers and regular desktops, as it allows a CIA operative to redirect the target's traffic to proxy servers under the CIA's control and sniff the user's Internet habits or mount other attacks.Obviously, more damage can be done if OutlawCountry is installed on a server, allowing an operative to sniff traffic from many users at once.
The leaked OutlawCountry manual includes an MD5 hash for one of the kernel modules (nf_table_6_64.ko): 2CB8954A3E683477AA5A084964D4665D.
The default name for the hidden netfilter table is: dpxvke8h18.
Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:
ᗙ Weeping Angel - tool to hack Samsung smart TVs
ᗙ Fine Dining - a collection of fake, malware-laced apps
ᗙ Grasshopper - a builder for Windows malware
ᗙ DarkSeaSkies - tools for hacking iPhones and Macs
ᗙ Scribble - beaconing system for Office documents
ᗙ Archimedes - a tool for performing MitM attacks
ᗙ AfterMidnight and Assassin - malware frameworks for Windows
ᗙ Athena - a malware framework co-developed with a US company
ᗙ Pandemic - a tool for replacing legitimate files with malware
ᗙ CherryBlossom - a tool for hacking SOHO WiFi routers
ᗙ Brutal Kangaroo - a tool for hacking air-gapped networks
ᗙ ELSA - malware for geo-tracking Windows users
ᗙ Fine Dining - a collection of fake, malware-laced apps
ᗙ Grasshopper - a builder for Windows malware
ᗙ DarkSeaSkies - tools for hacking iPhones and Macs
ᗙ Scribble - beaconing system for Office documents
ᗙ Archimedes - a tool for performing MitM attacks
ᗙ AfterMidnight and Assassin - malware frameworks for Windows
ᗙ Athena - a malware framework co-developed with a US company
ᗙ Pandemic - a tool for replacing legitimate files with malware
ᗙ CherryBlossom - a tool for hacking SOHO WiFi routers
ᗙ Brutal Kangaroo - a tool for hacking air-gapped networks
ᗙ ELSA - malware for geo-tracking Windows users
Comments
Post a Comment