{"id":94381,"date":"2017-06-26T12:00:12","date_gmt":"2017-06-26T11:00:12","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=94381"},"modified":"2017-06-22T12:50:21","modified_gmt":"2017-06-22T11:50:21","slug":"vault-7-brutal-kangaroo","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/06\/vault-7-brutal-kangaroo\/","title":{"rendered":"Vault 7: Brutal Kangaroo"},"content":{"rendered":"

\"\"<\/a>Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo<\/em> project of the CIA. Brutal Kangaroo<\/em> is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo<\/em> components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.<\/p>\n

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects an Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo<\/em> malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN\/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration\/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet<\/a> worked.<\/p>\n

The Brutal Kangaroo<\/em> project consists of the following components: Drifting Deadline<\/em> is the thumbdrive infection tool, Shattered Assurance<\/em> is a server tool that handles automated infection of thumbdrives (as the primary mode of propagation for the Brutal Kangaroo<\/em> suite), Broken Promise<\/em> is the Brutal Kangaroo<\/em> postprocessor (to evaluate collected information) and Shadow<\/em> is the primary persistence mechanism (a stage 2 tool that is distributed across a closed network and acts as a covert command-and-control network; once multiple Shadow<\/em> instances are installed and share drives, tasking and payloads can be sent back-and-forth).<\/p>\n

The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese<\/em> that was a 0-day exploit until March 2015<\/a>; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis<\/em>\/RiverJack<\/em>) related to the library-ms functionality of the operating system.\"\"<\/a><\/p>\n

Leaked Documents<\/h2>\n

Brutal Kangaroo — Drifting Deadline v1.2 – User Guide <\/a><\/p>\n

EzCheese v6.3 – User Guide <\/a><\/p>\n

EzCheese v6.2 – User Guide (Rev. B) <\/a><\/p>\n

EzCheese v6.2 – User Guide (Rev. A) <\/a><\/p>\n

EZCheese v6.2 – IVV TDR Slides <\/a><\/p>\n

_______________________________________________<\/p>\n

All Releases:<\/em><\/strong><\/p>\n

Vault 7: Cherry Blossom<\/a> \u2013 15 Jun 2017<\/em><\/p>\n

Vault 7: Pandemic<\/a> \u2013 1 Jun 2017<\/em><\/p>\n

Vault 7: Athena<\/a> \u2013 19 May 2017<\/em><\/p>\n

Vault 7: AfterMidnight & Assassin Frameworks<\/a> \u2013 12 May 2017<\/em><\/p>\n

Vault 7: Archimedes \u2013<\/a> 5 May 2017<\/em><\/p>\n

Vault 7: Scribbles Project<\/a> \u2013 28 Apr 2017<\/em><\/p>\n

Vault 7: Weeping Angel<\/a> \u2013 21 Apr 2017<\/em><\/p>\n

Vault 7: Hive Project<\/a> \u2013 14 Apr 2017<\/em><\/p>\n

Vault 7: Grasshopper Framework<\/a> \u2013 7 Apr 2017<\/em><\/p>\n

Vault 7: Marble Framework<\/a> \u2013 31 Mar 2017<\/em><\/p>\n

Vault 7: Project Dark Matter<\/a> \u2013 23 Mar 2017<\/em><\/p>\n

Vault 7: CIA Hacking Tools Revealed<\/a> \u2013 7 Mar 2017<\/em><\/p>\n

Go to Original \u2013 wikileaks.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-94381","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=94381"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/94381\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=94381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=94381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=94381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}