As part of the Vault 7 series, WikiLeaks released a set of documents that is essentially a user manual for a set of hacking tools belonging to the CIA. The hacking tools are capable of infecting air-gapped PCs via USB drives and are collectively named as the Brutal Kangaroo.
Brutal Kangaroo is not just a single hacking tool. Rather, it is a collection of tools that are designed to execute a very complicated attack that can affect air-gapped PCs – PCs not connected to the internet – through an infected USB drive.
Drifting deadline is one of the tools that are the primary starting point of creating malware. This is followed by Shattered Assurance which automates the generation of malware created from Drifting deadline through USB drives.
Next, comes Shadow, which allows the attacker to control and coordinate the attack. Lastly, Broken Promise is used to extract data from the infected systems.
How does it work?
According to the user manual, the CIA can start off an attack through Brutal Kangaroo by using the Drifting Deadline to generate and inject malware. The malware thus created is used in a two-staged process to infect air-gapped computers.
Initially, the attacker, or in this case the CIA, can infect a targeted computer called the primary host. The malware is injected into this PC and when a user inserts a USB drive into it, the malware, through Shattered Assurance generates a more powerful virus and loads it in the USB.
Once the user inserts this USB into another PC, the more powerful malware affects this new PC, and the chain goes on depending on how many more computers share the USB.
Reports say that the tools have already been used by a hacking group called Longhorn and that around 40 instances of hacks have been found in 16 countries.
— WikiLeaks (@wikileaks) June 22, 2017
What vulnerabilities are exploited?
According to the documents, the second-stage malware exploits certain LNK files on Windows. These files execute the malware once they are viewed in Windows Explorer.
Furthermore, two distinct exploits facilitate the attack – Okabi and Giraffe. Okabi is more powerful as it can target machines that are operating on Windows 7 and later versions, while Giraffe can now only affect Windows XP as later versions have been upgraded.
Once the second-stage malware is executed, an attacker or the CIA can easily co-ordinate the infections through the Shadow tool. The tool can be used to execute multiple commands once initial data has been extracted using Broken Promise.
This implies that newer versions of Shadow can be generated that have different instructions for infecting a system. However, the user needs to insert the USB in the primary host so that the new malware can be loaded onto it.
Antivirus software that can detect Brutal Kangaroo
The manual listed certain antivirus software that can detect Brutal Kangaroo. These include Avira, Bitdefender, Rising Antivirus, and Symantec.
Moreover, Microsoft has released security patches that deal with the vulnerabilities associated with the LNK files and WikiLeaks has stated that it is working with software developers to fix security flaws that can be exploited by this malware.