Wikileaks reveals Brutal Kangaroo for infecting air-gapped PCs with malware

Latest Vault 7 leak details Brutal Kangaroo attack

Wikileaks dumped more CIA documents from its Vault 7 trove, this time detailing a tool used to infect air-gapped PCs with malware.

According to the latest leak, Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumb drives.

"Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables," the organisation said.

According to Wikileaks, Brutal Kangaroo consists of: Drifting Deadline, which is a thumb drive infection tool; Shattered Assurance, which is a server tool that handles automated infection of thumb drives; and Broken Promise, which is Brutal Kangaroo's postprocessor to evaluate collected information. It also features a tool called Shadow, which is the primary persistence mechanism (a stage two tool that is distributed across a closed network and acts as a covert command-and-control network. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"When a user is using the primary host and inserts a USB stick into it, the thumb drive itself is infected with a separate malware. If this thumb drive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network," said Wikileaks.

"By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange," claimed Wikileaks, adding that the method of compromising closed networks is similar to how the Stuxnet worm worked.

It said that the primary execution vector used by infected thumb drives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. 

"Older versions of the tool suite used a mechanism called EZCheese that was a zero-day exploit until March 2015; newer versions seem to use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system," said Wikileaks. 

Luckily, several antivirus products are capable of detecting the malware. These include Avira, Bitdefender, and Symantec.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/operating-systems/microsoft-windows/354739/windows-7-bug-blocks-users-from-shutting-down-their-pcs
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020
Visit/hardware/354723/coronavirus-starts-to-take-its-toll-on-the-tech-industry
Hardware

Coronavirus starts to take its toll on the tech industry

6 Feb 2020