CIA’s Brutal Kangeroo malware suite likened to Stuxnet
Wikileaks has revealed yet more information about the CIA’s trove of malware tools, this time revealing how it takes on ‘air gapped’ networks – computers and networks not attached to the internet for security reasons.
“Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” according to Wikileaks’ analysis of the CIA manuals.
The malware suite enables CIA operatives to put together attacks using ‘Drifting Deadline’, a GUI-based builder, while ‘Shattered Assurance’ provides the server component, which runs on infected hosts. ‘Shadow’ is a tool that enables operatives to define the tasks they want to undertake on the offline computers, while ‘Broken Promise’ is intended to exfiltrate the data.
BrutalKangeroo, meanwhile, is also the name given to the malware that sits on the targeted closed-network or computer.
“When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network.
“By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange,” claims Wikileaks, adding that the method of compromising closed networks is similar to how the Stuxnet worm worked.
Stuxnet, of course, was the industrial malware that targeted the computers of scientists working in the Iranian nuclear programme, which was accidentally spread much further than intended.
Naturally, the malware exploits vulnerabilities in the Windows operating system in order to be able to auto-execute when the USB stick is plugged-in to the targeted computers. USB sticks used to auto-execute anything under Windows 95/98 and Windows XP, but this glaring security hole has long been closed.
The Brutal Kangeroo malware suite, though, uses “hand-crafted link files that load and execute programs (DLLs) without user interaction”. After one of the flaws was patched in March 2015, the exploit was simply adapted to get round it.
A number of anti-virus and security software vendors claim to be able to detect at least some of the CIA tools. These include packages from Avira, BitDefender and Symantec.