One of the tools used by the U.S. Central Intelligence Agency (CIA) to target Linux systems is named OutlawCountry, according to documents published by WikiLeaks.
OutlawCountry is described by its developers as a tool that uses a kernel module to create a hidden netfilter table on the targeted Linux system. The operator can then use this table to create new firewall rules with iptables commands and these rules will take precedence over existing ones. The rules can be used to redirect traffic from the infected machine to one controlled by the attacker.
OutlawCountry documentation dated June 2015 states that the tool’s user needs to have shell access and root privileges to the targeted machine. As for hiding on the infected system, the new rules created by the malware are only visible to an administrator who knows the name of the table, and the table is removed if the kernel module is deleted by the operator.
Since the documentation specifically names CentOS and Red Hat Enterprise Linux as the operating systems on which the tool works, Red Hat has published an advisory for users who may be concerned about the impact of OutlawCountry.
The organization is still analyzing the available information, and in the meantime it has advised users to look for the existence of a file named nf_table_6_64.ko and the presence of a hidden table called dpxvke8h18 in the iptable rules. Users can check for the presence of the kernel module with the following lsmod command: lsmod | grep nf_table.
Last month, WikiLeaks published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), locate users via Wi-Fi (Elsa), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).
WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.
Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”