Purple Lambert, a new malware of CIA-linked Lambert APT group

Pierluigi Paganini April 29, 2021

Cybersecurity firm Kaspersky discovered a new strain of malware that is believed to be part of the arsenal of theUS Central Intelligence Agency (CIA).

Cybersecurity firm Kaspersky has discovered a new malware that experts attribute to the US Central Intelligence Agency.

Experts from Kaspersky explained that in February 2019, multiple antivirus companies received a collection of malware samples, some of them cannot be associated with the activity of known APT groups. 

These malware strains did not present any similarities with malware associated with other APT groups.

A deeper analysis of some of these samples revealed that they were compiled in 2014 and used in the wild between 2014 and 2015. Although the researchers have not found any shared code with any other known malware family, the samples shared coding patterns, style, and techniques with the code belonging to the Lambert families.

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload.”

The Lambert APT (aka Longhorn APT) has been active since at least 2008, but its first samples were spotted in 2014. The group is highly sophisticated and targeted organizations worldwide using a complex cyberattack platform that could target both Windows and OSX systems.

Across the years, the researchers found analyzed multiple backdoors and hacking tools composing the arsenal of the cyberespionage group.

Kaspersky named this collection of samples Purple Lambert, the new has a modular structure and its network module passively listening for a magic packet. The malicious code collects basic information about the infected system and also allows attackers to execute additional payload.

Purple Lambert implements functionality similar to, but in different ways, Gray Lambert and White Lambert, which are kernel-mode passive-listener implant.

In April 2017, Symantec security experts who analyzed the alleged CIA hacking tools included in the Vault 7 dump that were involved in attacks aimed at least 40 governments and private organizations across 16 countries.
Researchers at company firm Symantec reportedly linked the CIA hacking tools to a number of cyber attacks launched in recent years by a threat actor the company identified as the Longhorn group.

“Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.” reads the analysis published by Symantec.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.”

Symantec believes Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications and education, aerospace.

The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and its Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.

The targets were all located in the Middle East, Europe, Asia, and Africa. On one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.

In November 2019, ESET researchers discovered a new downloader, dubbed DePriMon, that used new “Port Monitor” methods in attacks in the wild. The new DePriMon downloader was used by the Lambert APT group, aka Longhorn, to deploy malware.

In March 2020, Chinese security firm Qihoo 360 accused the US Central Intelligence Agency (CIA) of having hacked Chinese organizations for the last 11 years. According to the firm, the US cyber spies are targeting various industry sectors and government agencies.

The Qihoo 360 experts claim that a CIA hacking unit, tracked as APT-C-39, has hacked organizations in the aviation, scientific research, oil, technology industries, it also targeted government agencies.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CIA)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment