OutlawCountry Is CIA’s Malware for Hacking Linux Systems

OutlawCountry Is CIA’s Malware for Hacking Linux Systems

Vault 7

WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems.

The leaked user manual — dated 04 June 2015 — details a kernel module for Linux 2.6 that allows CIA operatives to divert traffic from a Linux machine to a chosen destination.

Shell access and root privileges are needed to install OutlawCountry, meaning CIA operatives must compromise machines via other means before deploying this malware strain.

OutlawCountry redirects outgoing Internet traffic

OutlawCountry uses the built-in packet filtering tools available in Linux, such as netfilter or iptables. An operative can

When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed.

OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x. This module will only work with default kernels.  Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

An effective tool for spying on Linux servers

OutlawCountry can be used for both servers and regular desktops, as it allows a CIA operative to redirect the target’s traffic to proxy servers under the CIA’s control and sniff the user’s Internet habits or mount other attacks.

Obviously, more damage can be done if OutlawCountry is installed on a server, allowing an operative to sniff traffic from many users at once.

The leaked OutlawCountry manual includes an MD5 hash for one of the kernel modules (nf_table_6_64.ko): 2CB8954A3E683477AA5A084964D4665D.

The default name for the hidden netfilter table is: dpxvke8h18.

Today’s dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks “Vault 7” dumps:

ᗙ Weeping Angel – tool to hack Samsung smart TVs
ᗙ Fine Dining – a collection of fake, malware-laced apps
ᗙ Grasshopper – a builder for Windows malware
ᗙ DarkSeaSkies – tools for hacking iPhones and Macs
ᗙ Scribble – beaconing system for Office documents
ᗙ Archimedes – a tool for performing MitM attacks
ᗙ AfterMidnight and Assassin – malware frameworks for Windows
ᗙ Athena – a malware framework co-developed with a US company
ᗙ Pandemic – a tool for replacing legitimate files with malware
ᗙ CherryBlossom – a tool for hacking SOHO WiFi routers
ᗙ Brutal Kangaroo – a tool for hacking air-gapped networks
ᗙ ELSA – malware for geo-tracking Windows users

Leave a Reply