WikiLeaks as part of Vault 7 leaks published documents from a project of CIA dubbed as ‘OutlawCountry‘.
The documents published on Thursday on their website explains about a malware which probably CIA used to monitor the network traffic of Linux users.
The attack could be only possible when the target system runs on a compatible 64-bit version of CentOS/RHEL 6.x (kernel version 2.6.32), the attacker should already be having a shell access to the target and target must have a ‘nat’ netfilter table.
The OutlawCountry tool includes a kernel module for Linux 2.6. When an attacker with shell access loads the module in the target system, a new Netfilter table with an uncertain name is created which allows certain rules to be created which are treated as a priority by the system. A system administrator can see the rules if he knows the table name.
“When the attacker removes the kernel module, the new table is also removed.” reads the documentation.
In short, the tool is used to add secret DNAT rules to the PREROUTING chain. The changes made in the PREROUTING chain leads to the redirection of the network traffic to the attacker. CIA supposedly used the tool to monitor the network traffic of the users using supported Linux OS.
The documentation also included a point which says that, to do the similar attack on different Linux distros, the kernel module could be modified accordingly.
“The installation and persistence method of the malware is not described in detail in the document; “an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels.“ –WikiLeaks.
Leaks Happened So Far
Note: Due to great response from the readers, we decided to give away premium ebooks to our newsletter subscribers. Subscribe to our newsletters to stay updated and access premium ebooks.