WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets “closed networks by air gap jumping using thumb drives,” mainly implemented in enterprises and critical infrastructures.
Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.
Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.
The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using “unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.”
Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.
Even if it’s hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation’s employees and then wait for the employee to insert the USB drive into his/her computer.
Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version).
The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.
“The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input.” the manual says.
When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.
“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.
“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.
Source: The Hacker News