Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘OutlawCountry’ Tool Used by CIA to Target Linux Systems

One of the tools used by the U.S. Central Intelligence Agency (CIA) to target Linux systems is named OutlawCountry, according to documents published by WikiLeaks.

One of the tools used by the U.S. Central Intelligence Agency (CIA) to target Linux systems is named OutlawCountry, according to documents published by WikiLeaks.

OutlawCountry is described by its developers as a tool that uses a kernel module to create a hidden netfilter table on the targeted Linux system. The operator can then use this table to create new firewall rules with iptables commands and these rules will take precedence over existing ones. The rules can be used to redirect traffic from the infected machine to one controlled by the attacker.

OutlawCountry documentation dated June 2015 states that the tool’s user needs to have shell access and root privileges to the targeted machine. As for hiding on the infected system, the new rules created by the malware are only visible to an administrator who knows the name of the table, and the table is removed if the kernel module is deleted by the operator.

Since the documentation specifically names CentOS and Red Hat Enterprise Linux as the operating systems on which the tool works, Red Hat has published an advisory for users who may be concerned about the impact of OutlawCountry.

The organization is still analyzing the available information, and in the meantime it has advised users to look for the existence of a file named nf_table_6_64.ko and the presence of a hidden table called dpxvke8h18 in the iptable rules. Users can check for the presence of the kernel module with the following lsmod command: lsmod | grep nf_table.

Last month, WikiLeaks published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), locate users via Wi-Fi (Elsa), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).

Advertisement. Scroll to continue reading.

WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.