Brutal Kangaroo is the CIA tool suite for hacking Air-Gapped Networks

Pierluigi Paganini June 22, 2017

WikiLeaks has published a new batch of Wikileaks documents that detail the Brutal Kangaroo tool suite for hacking Air-Gapped Networks.

WikiLeaks has published a new batch of documents belonging to the Vault 7 leak, the last archive includes the documentation related to a tool dubbed Brutal Kangaroo used by the CIA for Microsoft Windows that targets air-gapped networks.

Air-gapped networks are separated from the Internet for security reasons and mainly implemented in high-security environments and critical infrastructures.

“Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” states Wikileaks.”Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.”

Wikileaks released the documentations for Brutal Kangaroo v1.2.1 version that is dated back 2012.
A previous version of Brutal Kangaroo was code-named EZCheese and according to the documentation, it was exploiting a vulnerability discovered in March 2015.

The Brutal Kangaroo tool suite is composed of the following components:

  • Drifting Deadline is the thumbdrive infection tool;
  • Shattered Assurance is a server tool that handles automated infection of thumbdrives;
  • Broken Promise is the Brutal Kangaroo postprocessor system used to analyze collected information.
  • Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow instances are installed and share drives, tasking, and payloads can be sent back-and-forth).

According to the documents, CIA agents can infiltrate a closed network within an organization or enterprise without direct access, anyway, the attack chain starts infecting an Internet-connected machine within the organization. When a user plugs a USB stick into the infected machine, the thumbdrive itself is infected with a separate malware called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version) that could propagate within the closed network every time users insert the USB stick in its computers.

“The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware.” continue Wikileaks.

“The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.”

When the malware spreads among the air-gapped networks, infected computers compose a covert network that is able to coordinate attackers’ activities and data exchange.

“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.

“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.

Brutal Kangaroo

Below the list of Vault7 batches released by Wikileaks since March:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Wikileaks,  Brutal Kangaroo)

[adrotate banner=”13″]



you might also like

leave a comment