Linux malware: Leak exposes CIA’s OutlawCountry hacking toolkit

OutlawCountry malware sends traffic from Linux machines to the CIA’s servers.

WikiLeaks’ latest Vault7 release of leaked CIA documents detailing its hacking tools reveals malware called OutlawCountry that targets Linux systems.

OutlawCountry is described in documents dated June 4, 2015 as a kernel module for Linux 2.6 that allows CIA operators to redirect outbound traffic to a server they control by creating an hidden netfilter or iptables table. Netfilter is a packet-filtering framework within the Linux kernel’s networking stack.

OutlawCountry creates a hidden netfilter table with an “obscure name”, which the operator can use to create new rules that override existing netfilter rules. The new rules can only be seen by an admin if the table name is known, which, according to the documents, is ‘dpxvke8h18’.

The malware is designed for Red Hat Enterprise Linux 6.x and CentOS 6.x systems with the 6.4-bit 2.6.32 version of the Linux kernel. However, the operator needs to have already compromised the target to load a malicious module and must have gained root privileges to operate the malware.

WikiLeaks notes that an “operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system”.

RedHat’s advisory for OutlawCountry describes the command to use to determine if the CIA’s kernel module has been loaded.

WikiLeaks dumped over 8,000 CIA documents when it launched Vault 7 in March and has released several documents a month detailing specific CIA malware programs.

OutlawCountry is the 14th malware program detailed in the series. Earlier this month it released details of ‘Elsa’ for tracking the location of Windows PCs, ‘Brutal Kangaroo’ for hopping across air-gapped networks via an infected USB stick, the ‘CherryBlossom’ router malware, and ‘Pandemic’, which targeted Windows file-sharing.


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.