Category Archives: Linux

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user. The OutlawCountry project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data. *

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system. However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels. **

The 30th June 2017 WikiLeaks release overview:

“Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

Two documents were also published alongside this release:

OutlawCountry v1.0 User Manual

OutlawCountry v1.0 Test Plan

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #13 and #15 – #17 synopses are available on WikiLeaks and analysis of OutlawCountry at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews

* Content courtesy of The Hacker News – Twitter @TheHackersNews

** Content courtesy of The Hacker News – Twitter @TheHackersNews

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon

BothanSpy is Microsoft Windows implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. Gyrfalcon is a CentOS, Debian, RHEL, SUSE, and Ubuntu Linux Platform implant that targets the OpenSSH client not only steals user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic. Both implants save the collected information in an encrypted file for later exfiltration while the BothanSpy implant also implements exfiltration in real time to a CIA server thus leaving no footprint on the target system storage disk(s).

The 6th July 2017 WikiLeaks release overview:

“Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted [sic] file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Three documents were also published alongside this release BothanSpy V1.0 Tool Documentation, Gyrfalcon V2.0 User’s Guide, and Gyrfalcon 1.0 User Manual.

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #14 and #16 synopses are available on WikiLeaks and analysis of BothanSpy & Gyrfalcon at The Hacker News.

ENDS

Edited Image courtesy of The Hacker News – Twitter @TheHackersNews – Original Image edited to add extract from BothanSpy Tool Documentation Page 8 Screenshot 07/16/2017.