Outlaw Country: Used to Manipulate Network Packages Concealed in Linux While virtually everything Wikileaks has uncovered from the CIA has to do with malware for Windows computers, it is especially noteworthy that Outlaw Country is the first tool explicitly intended for Linux, which as we all know is much safer than other operating systems and Patches your vulnerabilities much faster. Linux is widely used in servers, so it is a priority target for the CIA, which seeks to infiltrate in any way in other networks to perform espionage work, as we have seen with other tools such as Brutal Kangaroo or Pandemic. Outlaw Country allows you to redirect all outgoing traffic from a target computer to CIA-controlled computers in order to steal files from the infected computer or to send files to that computer. The malware consists of a kernel module that creates invisible Netfilter tables on the target computer with Linux, so that network packets can be manipulated. Knowing the name of the table, an operator can create rules that have preference over those that exist in tables, which can not be seen by a normal user or even by the system administrator as well. The mechanism of installation and persistence of the malware does not come very well detailed in the documents to which Wikileaks had access. In order to make use of this malware, a CIA operator must first make use of other exploits or backdoors to inject the kernel module into the target operating system. The version of Outlaw Country 1.0 contains a module for the kernel of the 64-bit version of CentOS/RHEL 6.x. The first version of this branch was published in 2011, while the last was released in 2013, the last version is available until summer 2014 when version 7 arrived. The module only works with the default kernel, and the version 1.0 of the malware only supports DNAT (Destination NAT) through the PREROUTING chain. The version of the document that Wikileaks has revealed is dated June 4, 2015. In that same document referenced it appears as a requirement to use the previous 6.x version of CentOS and having as its version of kernel 2.6.32 (of 2011) or less. It is not known if the tool had a more up-to-date version or not for newer versions. So, what do you think about this? Simply share your views and thoughts in the comment section below.
Δ


