OutlawCountry Is CIA’s Malware for Hacking Linux Systems

1Jul - by Pax_tan - 0 - In News

 

WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems.

Italian Botnet Operator Made Over $325,000, is now Extradited to the US US officials successfully extradited a 30-year-old Italian man for his role in creating and running a botnet of hacked servers.Authorities say the botnet operator, named Fabio Gasperini, created his botnet by hacking into servers across the world, where he left a backdoor. ...

The leaked user manual — dated 04 June 2015 — details a kernel module for Linux 2.6 that allows CIA operatives to divert traffic from a Linux machine to a chosen destination.

Shell access and root privileges are needed to install OutlawCountry, meaning CIA operatives must compromise machines via other means before deploying this malware strain.

OutlawCountry redirects outgoing Internet traffic

OutlawCountry uses the built-in packet filtering tools available in Linux, such as netfilter or iptables. An operative can

When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed.

OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x. This module will only work with default kernels.  Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

WikiLeaks Reveals Grasshopper, Windows Hacking Framework Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.The Grasshopper framework was (is?) allegedly used by the C...

An effective tool for spying on Linux servers

OutlawCountry can be used for both servers and regular desktops, as it allows a CIA operative to redirect the target's traffic to proxy servers under the CIA's control and sniff the user's Internet habits or mount other attacks.

Obviously, more damage can be done if OutlawCountry is installed on a server, allowing an operative to sniff traffic from many users at once.

The leaked OutlawCountry manual includes an MD5 hash for one of the kernel modules (nf_table_6_64.ko): 2CB8954A3E683477AA5A084964D4665D.

The default name for the hidden netfilter table is: dpxvke8h18.

Today's dump is part of a larger series called Vault 7 contains documents WikiLeaks claims were stolen from the CIA by hackers and insiders. You can follow the rest of our WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks "Vault 7" dumps:

Leave a Reply

Your email address will not be published. Required fields are marked *