OutlawCountry malware sends traffic from Linux machines to the CIA’s servers.
WikiLeaks’ latest Vault7 release of leaked CIA documents detailing its hacking tools reveals malware called OutlawCountry that targets Linux systems.
OutlawCountry is described in documents dated June 4, 2015 as a kernel module for Linux 2.6 that allows CIA operators to redirect outbound traffic to a server they control by creating an hidden netfilter or iptables table. Netfilter is a packet-filtering framework within the Linux kernel’s networking stack.
OutlawCountry creates a hidden netfilter table with an “obscure name”, which the operator can use to create new rules that override existing netfilter rules. The new rules can only be seen by an admin if the table name is known, which, according to the documents, is ‘dpxvke8h18’.
The malware is designed for Red Hat Enterprise Linux 6.x and CentOS 6.x systems with the 6.4-bit 2.6.32 version of the Linux kernel. However, the operator needs to have already compromised the target to load a malicious module and must have gained root privileges to operate the malware.
WikiLeaks notes that an “operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system”.
RedHat’s advisory for OutlawCountry describes the command to use to determine if the CIA’s kernel module has been loaded.
WikiLeaks dumped over 8,000 CIA documents when it launched Vault 7 in March and has released several documents a month detailing specific CIA malware programs.
OutlawCountry is the 14th malware program detailed in the series. Earlier this month it released details of ‘Elsa’ for tracking the location of Windows PCs, ‘Brutal Kangaroo’ for hopping across air-gapped networks via an infected USB stick, the ‘CherryBlossom’ router malware, and ‘Pandemic’, which targeted Windows file-sharing.