What Is Brutal Kangaroo and How does it Work
Wikileaks has revealed yet more information about the CIA’s trove of malware tools, including information about how the US intelligence agency taps into ‘air gapped’ networks.
“Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumb drives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” according to Wikileaks’ analysis of the CIA manuals.
The suite includes ‘Drifting Deadline’, a GUI-based builder, and ‘Shattered Assurance’ which provides the server component, and which runs on infected hosts. ‘Shadow’ is a tool that enables operatives to define the tasks they want to undertake on the offline computers, while ‘Broken Promise’ is used to exfiltrate the data.
Brutal Kangaroo is also the name given to the malware that sits on the targeted closed-network or computer.
“When a user is using the primary host and inserts a USB stick into it, the thumb drive itself is infected with a separate malware. If this thumb drive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network.
“By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange,” claims Wikileaks, adding that the method of compromising closed networks is similar to how the Stuxnet worm worked.
Stuxnet was the industrial malware that targeted the computers of scientists working in the Iranian nuclear programme, which was accidentally spread much further than intended.
The malware exploits vulnerabilities in the Windows operating system in order to be able to auto-execute when the USB stick is plugged into the targeted computers. USB sticks used to auto-execute anything under Windows 95/98 and Windows XP, but this glaring security hole has long been closed.
Here’s How the Air-Gap Attack Works
Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.
Even if it’s hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation’s employees and then wait for the employee to insert the USB drive into his/her computer.
Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as ‘Emotional Simian’ in the latest version).
The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.
“The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input.” the manual says.
When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.
“If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked,” WikiLeaks said.
“Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables,” a leaked CIA manual reads.
The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed “Broken Promise,” analyzes the data for juiceful information.