About a week after publishing documents to Cherry Blossom, a set of tools used by the CIA to compromise wireless networking devices, WikiLeaks has published documents related to the Brutal Kangaroo project. The Brutal Kangaroo leaks contain details of a set of tools used by the CIA to compromise air gapped computers through USB drives. Air gapped computers are machines that are not connected to any networks, or connected only to closed networks, to significantly reduce the threat from malware. The setup necessarily demands inventive attack vectors to compromise the systems and extract information from them.
The method used by the malware is similar to how Stuxnet worked. The malware first infects a computer in the organisation that is connected to the internet. The malware then hops onto any USB drive that is connected to the primary host. If the same USB stick is subsequently used on an air gapped machine, the system gets infected. From there, the malware can spread to multiple computers in the closed network, and forms a covert network to coordinate tasks and exchange data. The malware can conduct surveys and run arbitrary programs.
The Brutal Kangaroo project has four components. Drifting Deadline is the tool that infects the USB drives, performs surveys and collects files. Shattered Assurance is an automated tool that handles the infection of the USB drives, and is the primary mechanism through which Brutal Kangaroo spreads. Broken Promise is a Brutal Kangaroo post-processor. Shadow is a persistence mechanism that forms the covert network and enables command and control activities.
Publish date: June 23, 2017 6:37 pm| Modified date: June 23, 2017 6:37 pm