Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.
Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.
Here’s How the Air-Gap Attack Works
✶ Shattered Assurance – a server component running on infected hosts that automates the infection of thumb drives using malware generated via Drifting Deadline
✶ Shadow – tool to create and coordinate multiple infected computers on an air-gapped network, allowing operators to define a series of tasks to be executed on offline computers
✶ Broken Promise – tool to evaluate and exfiltrate data collected from air-gapped networks
The CIA uses these tools as part of a very complex attack process, which starts with a CIA operative using Drifting Deadline to generate first and second-stage malware used in the attacks, on a per-target basis.
The process then moves on to using various other CIA tools to infect a computer in the target’s network.
This process is not detailed, meaning CIA operatives can use whatever they have at their disposal to achieve this first infection.
If the user takes this USB thumb drive and connects it to another PC, this second-stage malware will execute and infect that computer as well.
Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.
Even if it’s hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation’s employees and then wait for the employee to insert the USB drive into his/her computer.
Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version).
The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.
“The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input.” the manual says.
“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.
“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.
The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed “Broken Promise,” analyzes the data for juiceful information.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Dubbed “Cherry Blossom,” the framework was basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace the firmware with custom Cherry Blossom firmware.
Since March, the whistleblowing group has published 12 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- Pandemic – a CIA’s project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
- Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
- AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
- Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
- Scribbles – Software reportedly designed to embed ‘web beacons’ into confidential files and documents, allowing the agency to track whistleblowers and insiders.
- Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
- Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
- Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
- Weeping Angel – A spying tool used by the CIA to infiltrate smart TV’s and then transform them into covert microphones.
- Year Zero – Disclosed several CIA hacking exploits for popular hardware and software.