Wikileaks reveals Brutal Kangaroo for infecting air-gapped PCs with malware

Latest Vault 7 leak details Brutal Kangaroo attack

Wikileaks dumped more CIA documents from its Vault 7 trove, this time detailing a tool used to infect air-gapped PCs with malware.

According to the latest leak, Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumb drives.

"Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables," the organisation said.

Advertisement - Article continues below

According to Wikileaks, Brutal Kangaroo consists of: Drifting Deadline, which is a thumb drive infection tool; Shattered Assurance, which is a server tool that handles automated infection of thumb drives; and Broken Promise, which is Brutal Kangaroo's postprocessor to evaluate collected information. It also features a tool called Shadow, which is the primary persistence mechanism (a stage two tool that is distributed across a closed network and acts as a covert command-and-control network. 

"When a user is using the primary host and inserts a USB stick into it, the thumb drive itself is infected with a separate malware. If this thumb drive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network," said Wikileaks.

Advertisement
Advertisement - Article continues below

"By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange," claimed Wikileaks, adding that the method of compromising closed networks is similar to how the Stuxnet worm worked.

Advertisement - Article continues below

It said that the primary execution vector used by infected thumb drives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. 

"Older versions of the tool suite used a mechanism called EZCheese that was a zero-day exploit until March 2015; newer versions seem to use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system," said Wikileaks. 

Luckily, several antivirus products are capable of detecting the malware. These include Avira, Bitdefender, and Symantec.

Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

2 Apr 2020