The Brutal Kangaroo tool suite allows attackers to infect closed networks and air-gapped computers via a flash drive that was previously infected by a compromised Internet-connected device.
The Brutal Kangaroo tool suite allows attackers to infect closed networks and air-gapped computers via a flash drive that was previously infected by a compromised Internet-connected device.

WikiLeaks on Thursday dumped more leaked CIA documents with its latest Vault 7 disclosures, this time publishing materials from a tool suite called Brutal Kangaroo that allows attackers to indirectly infiltrate a closed network or air-gapped computer using a compromised flash drive.

The documents, dated between August 2012 and February 2016, reveal how CIA hackers would use the toolset to create a "custom covert network" within infected networks in order to conduct surveillance and launch executables.

A Brutal Kangaroo infection requires several steps: First, attackers have to infect an Internet-connected computer operated by the target organization. When a user at that organization inserts a thumb drive into the infected machine, the USB stick becomes infected as well. Finally, this compromised flash drive infects the ultimate target when it is used on a closed network or air-gapped machine.

According to WikiLeaks, infected thumb drives use one of two Microsoft Windows vulnerabilities to execute malware: Older versions of Brutal Kangaroo leverage an exploit called EzCheese, while newer iterations use a "similar, but yet known vulnerability." The tool suite's components consist of various components including Drifting Deadline, a thumbdrive infection tool; Shattered Assurance, a server tool responsible for automated infection of USB drives), Broken Promise, a post processor that evaluates collected information; and Shadow, the main persistence mechanism.