By Iain Thomson in San Francisco 22 Jun 2017
”The documents, originally written on May 11, 2015 and revised on February 23 the following year, outline the Brutal Kangaroo project, which use compromised Windows PCs to spread malware to non-networked machines via USB sticks. The suite, which supersedes previous toolkits dubbed EZCheese and Emotional Simian, is the kind of cyber-weapon American intelligence may well have used to spread the Stuxnet nasty.”
”According to the user guide [PDF], the software consists of four specific applications. Shattered Assurance is the server-side code that forms the basis of the attack system and infects USBG drives plugged into an infected computer with the Drifting Deadline malware.”
”Once an infected thumb drive is plugged into a target computer that is set up to autorun its contents and is using Windows 7 as an operating system and running .Net 4.5, Drifting Deadline deploys Shadow malware onto the system.
Shadow is a much older piece of code – the user manual [PDF] is dated August 31, 2012 – that has client and server versions and is highly configurable for specific targets. The operator can set it up to collect system data of up to 10 per cent of the system’s memory, watermark all data it collects, and store it on an encrypted partition on the infected computer’s hard drive.”
”Once the infection has been achieved, Shadow will look for other connected systems and infect those too. It can be set up to put the exfiltrated data onto any new thumb drives that are installed in the system, or send it as a burst if it detects an open internet connection.
The final app in Brutal Kangaroo is Broken Promise, which is a tool used to examine the purloined data easily and quickly. Taken together, the Brutal Kangaroo suite could be very useful for defeating air-gapped machines and is certainly more feasible than more esoteric methods.
There’s nothing too surprising about the Brutal Kangaroo suite, or most of the other documents WikiLeaks is releasing as part of its Vault 7 archive. The software described is all something you’d expect an intelligence agency to use.
As for the Stuxnet connection, this malware was put live well after the infection that borked Iran’s nuclear centrifuges. However, it’s more likely that an insider in Iran was hired to deliver the Stuxnet code into the air-gapped network, rather than spamming the country with malware.
The releases do, however, suggest that whoever thinks up the CIA’s software names could get a second job thinking up good names for teenage garage bands. DarkSeaSkies, Sonic Screwdriver, and now Brutal Kangaroo – someone is missing their calling.
Then again, they might need a new job if they were one of the CIA contractors who reportedly focused their hacking skills on the snack machines in their office. According to reports, the contractors found a way to disable the payment system on the snack machines and stole $3,324.40 worth of nibbles. ®”