WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.
Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.
The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.
“The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed,” CIA’s leaked user manual reads.
Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.
However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.
“OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain,” WikiLeaks says.
Source: The Hacking News