WikiLeaks CIA Vault 7: Brutal Kangaroo

WikiLeaks CIA Vault 7: Brutal Kangaroo
0 comments, 24/06/2017, by , in Technology

ThumbdrivesWikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects an Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

The Brutal Kangaroo project consists of the following components: Drifting Deadline is the thumbdrive infection tool, Shattered Assurance is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo suite), Broken Promise is the Brutal Kangaroo postprocessor (to evaluate collected information) and Shadow is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow instances are installed and share drives, tasking and payloads can be sent back-and-forth).

The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem to use a similar but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.

Leaked Documents

Brutal Kangaroo — Drifting Deadline v1.2 – User Guide

EzCheese v6.3 – User Guide

EzCheese v6.2 – User Guide (Rev. B)

EzCheese v6.2 – User Guide (Rev. A)

EZCheese v6.2 – IVV TDR Slide

Editor’s Note:

We humbly seek your support and ask for your generosity in helping us to continue to report to you on news and information you’ll not be getting with the lamestream propaganda media. All our authors have a passion for getting their information out to the general public.

SHARE: To get the word out please copy the article URL to post and comment on your social media platforms. Citizen journalists like myself are under assault by the federal government for they passed anti-Free Speech and Censorship law in the NDAA bill that was signed into law in the dead of night on Christmas Eve, 2016 by Islam Emperor Obama. Free Speech is under attack and NDAA has legalized censorship by Google, Facebook, Twitter, YouTube, Vimeo and most internet platforms because all are globalists and leftists. The establishment republicans are just as dangerous as the democrats, for both are Tyrants! Near all internet hosts suppress and censors articles and videos that do not toe the leftist, globalist and totalitarian line.

COMMENTS: I disabled comments on my articles because the spam was obscene. Each article I wrote was getting around 500 spam comments daily. We have anti-spam software but these spammers spend tons of money to bypass. I guess the Google algorithm does not suppress or censor spam attacks, only prevents them from being seen on key word searches. This site and my articles are SEO optimized but to no avail when trying to out-maneuver the spammers and censor algorithms.

DONATIONS:  I am not salaried or compensated for writing and I am fine with that for my passion is distribution of information. I am a Patriot and NewsHawk Network is also. They are a new media site that started in 2017 and I am honored to write for them. They have no income and we row the same boat Passion together. If you like my writing please contribute by going to DONATE. NHN has an income sharing program that is proportionately distributed to authors based upon their overall contribution. Please give as you are able. I have provided a PayPal link below.

REWARDS PROGRAM: We have a rewards program set up to reward all who wish to help us financially. Please visit us at Patreon.com/NHN for details.

Support us monthly on Patreon.com/NHN      $1 minimum. Tier program of rewards

Support us with a one-time or annual contribution at DONATE.                     $12 MINIMUM

View us on Vid.me/newshawknetwork                         Alternative to YouTube, so far no censoring

FakeBook Alternative: http://Minds.com                    Join Minds.com; its FREE and unlike Facebook UNCENSORED

Twitter Alternative: http://Gab.ai/NHN                      Join Gab, its FREE and unlike Twitter UNCENSORED

About admin

Any article submitted to NHN from a freelance author or news wire service is published on the NHN website by a staff writer/editor. Author by-line and profiles are included in the article if provided by author.