CIA has been using the tool since at least 2015

Jul 1, 2017 06:38 GMT  ·  By

After ELSA, which according to WikiLeaks is CIA’s Windows malware that can help determine the location of a specific user, here comes another dump revealing OutlawCountry, a different hacking tool used by the agency, but which is this time aimed at Linux devices.

A leaked user manual reveals that CIA has been using OutlawCountry since at least June 2015, with the tool specifically developed to redirect outgoing Internet traffic to other addresses. This basically means that CIA agents can monitor the activity of a Linux server, but in order for OutlawCountry to be effective, the agency first needs to obtain shell access and root privileges.

In other words, the CIA needs to compromise a Linux system with a different method before deploying OutlawCountry, but as it’s the case of Windows, there’s a good chance that the agency is already having other exploits based on unknown vulnerabilities in systems.

Update, update, update

WikiLeaks says the first version of OutlawCountry contains one kernel module for 64-bit CentOS/RHEL 6.x and will only work with default kernels, while also only supporting adding covert DNAT rules to the PREROUTING chain.

“The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from a user or even system administrator,” WikiLeaks explains.

The user manual explains how the hacking tool works, while also revealing that the CIA can remove all traces of the malware once the attack is complete.

“The OutlawCountry tool consists of a kernel module for Linux 2.6. The operator loads the module via shell access to the target. When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the iptables command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the operator removes the kernel module, the new table is also removed,” the manual reads.

Just like on Windows, Linux users are recommended to update systems to the latest versions and to deploy all the available patches that would help secure devices against CIA exploits.