Brutal Kangaroo is the CIA tool suite for hacking Air-Gapped Networks

WikiLeaks has published a new batch of Wikileaks documents that detail the Brutal Kangaroo tool suite for hacking Air-Gapped Networks.

WikiLeaks has published a new batch of documents belonging to the Vault 7 leak, the last archive includes the documentation related to a tool dubbed Brutal Kangaroo used by the CIA for Microsoft Windows that targets air-gapped networks.

Air-gapped networks are separated from the Internet for security reasons and mainly implemented in high-security environments and critical infrastructures.

“Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” states Wikileaks.”Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.”

Wikileaks released the documentations for Brutal Kangaroo v1.2.1 version that is dated back 2012.
A previous version of Brutal Kangaroo was code-named EZCheese and according to the documentation, it was exploiting a vulnerability discovered in March 2015.

The Brutal Kangaroo tool suite is composed of the following components:

Drifting Deadline is the thumbdrive infection tool;
Shattered Assurance is a server tool that handles automated infection of thumbdrives;
Broken Promise is the Brutal Kangaroo postprocessor system used to analyze collected information.
Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow instances are installed and share drives, tasking, and payloads can be sent back-and-forth).

According to the documents, CIA agents can infiltrate a closed network within an organization or enterprise without direct access, anyway, the attack chain starts infecting an Internet-connected machine within the organization. When a user plugs a USB stick into the infected machine, the thumbdrive itself is infected with a separate malware called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version) that could propagate within the closed network every time users insert the USB stick in its computers.

“The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware.” continue Wikileaks.

“The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.”

When the malware spreads among the air-gapped networks, infected computers compose a covert network that is able to coordinate attackers’ activities and data exchange.

“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.

“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.

Below the list of Vault7 batches released by Wikileaks since March:

Brutal Kangaroo – 22 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Wikileaks, Brutal Kangaroo)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.