Brutal Kangaroo
Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo
project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that
targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo
components create a custom covert network within the target closed network and
providing functionality for executing surveys, directory listings, and arbitrary
executables.
The documents describe how a CIA operation can infiltrate a closed network (or a
single air-gapped computer) within an organization or enterprise without direct
access. It first infects a Internet-connected computer within the organization
(referred to as "primary host") and installs the BrutalKangeroo malware on it.
When a user is using the primary host and inserts a USB stick into it, the
thumbdrive itself is infected with a separate malware. If this thumbdrive is
used to copy data between the closed network and the LAN/WAN, the user will
sooner or later plug the USB disk into a computer on the closed network. By
browsing the USB drive with Windows Explorer on such a protected computer, it
also gets infected with exfiltration/survey malware. If multiple computers on
the closed network are under CIA control, they form a covert network to
coordinate tasks and data exchange. Although not explicitly stated in the
documents, this method of compromising closed networks is very similar to how
Stuxnet worked.
The Brutal Kangaroo project consists of the following components: Drifting
Deadline is the thumbdrive infection tool, Shattered Assurance is a server tool
that handles automated infection of thumbdrives (as the primary mode of
propagation for the Brutal Kangaroo suite), Broken Promise is the Brutal
Kangaroo postprocessor (to evaluate collected information) and Shadow is the
primary persistence mechanism (a stage 2 tool that is distributed across a
closed network and acts as a covert command-and-control network; once multiple
Shadow instances are installed and share drives, tasking and payloads can be
sent back-and-forth).
The primary execution vector used by infected thumbdrives is a vulnerability in
the Microsoft Windows operating system that can be exploited by hand-crafted
link files that load and execute programs (DLLs) without user interaction. Older
versions of the tool suite used a mechanism called EZCheese that was a 0-day
exploit until March 2015; newer versions seem use a similar, but yet unknown
link file vulnerability (Lachesis/RiverJack) related to the library-ms
functionality of the operating system.