WikiLeaks has released a new batch of documents from the Vault 7 leak that details a CIA tool, dubbed OutlawCountry, used by the agency to remotely spy on computers running Linux operating systems.
According to the documentation leaked by WikiLeaks, the OutlawCountry tool was designed to redirect all outbound network traffic on the targeted computer to CIA controlled systems for exfiltrate and infiltrate data.
The OutlawCountry Linux hacking tool consists of a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.
The principal limitation of the tool is that the kernel modules only work with compatible Linux kernel below the list of prerequisites included in the documentation:
The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.
” The OutlawCountry tool consists of a kernel module for Linux 2.6. The Operator loads the module via shell access to the target. When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known.” reads the OutlawCountry User Manual. “When the Operator removes the kernel module, the new table is also removed.”
In the following diagram, the CIA operator loads OutlawCountry on the target (TARG_1), then he may add hidden iptables rules to modify network traffic between the WEST and EAST networks. For example, packets that should be routed from WEST_2 to EAST_3 may be redirected to EAST_4.
“(S//NF) OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x.
This module will only work with default kernels. Also, OutlawCountry v1.0 only
supports adding covert DNAT rules to the PREROUTING chain.” continues the manual leaked by WikiLeaks.
A few days ago WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.
The malware codenamed Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.
Below the list of release published by Wikileaks since March:
(Security Affairs – OutlawCountry malware, CIA)