Wikileaks – CIA developed OutlawCountry Malware to hack Linux systems

Pierluigi Paganini July 01, 2017

WikiLeaks released a new batch of documents that detail the CIA tool OutlawCountry used to remotely spy on computers running Linux operating systems.

WikiLeaks has released a new batch of documents from the Vault 7 leak that details a CIA tool, dubbed OutlawCountry, used by the agency to remotely spy on computers running Linux operating systems.

According to the documentation leaked by WikiLeaks, the OutlawCountry tool was designed to redirect all outbound network traffic on the targeted computer to CIA controlled systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.

The principal limitation of the tool is that the kernel modules only work with compatible Linux kernel below the list of prerequisites included in the documentation:

  • (S//NF) The target must be running a compatible 64-bit version of CentOS/RHEL 6.x
    (kernel version 2.6.32).
  • (S//NF) The Operator must have shell access to the target.
  • (S//NF) The target must have a “nat” netfilter table

The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.

” The OutlawCountry tool consists of a kernel module for Linux 2.6. The Operator loads the module via shell access to the target. When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known.” reads the OutlawCountry User Manual. “When the Operator removes the kernel module, the new table is also removed.”

In the following diagram, the CIA operator loads OutlawCountry on the target (TARG_1), then he may add hidden iptables rules to modify network traffic between the WEST and EAST networks. For example, packets that should be routed from WEST_2 to EAST_3 may be redirected to EAST_4.

The manual doesn’t include information related to the way the attacker injects the kernel module in the targeted Linux OS. It is likely, the cyber spies leverage multiple hacking tools and exploits in its arsenal to compromise the target running the Linux operating system.
The OutlawCountry contains just one kernel module for 64-bit CentOS/RHEL 6.x that makes possible injection only in default Linux kernel.

“(S//NF) OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x.
This module will only work with default kernels. Also, OutlawCountry v1.0 only
supports adding covert DNAT rules to the PREROUTING chain.” continues the manual leaked by WikiLeaks.

A few days ago WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.

The malware codenamed Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.

Below the list of release published by Wikileaks since March:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OutlawCountry  malware, CIA)

[adrotate banner=”13″]



you might also like

leave a comment