Brutal Kangaroo

The exploit code has not be released publicly. However, if successfully deployed, this could lead to a high-impact compromise. While the tool is used primarily by nation-state actors for covert data collections against users, the tool could be used by a malicious insider for covertly collecting files.

Nine days prior to the release of the new Vault 7 dump, Microsoft patched CVE-2017-8464, which was described as a remote code execution vulnerability using LNK exploits. In the patch notice, Microsoft mentioned that the code could be used and deployed to removable drives to infect hosts.

Brutal Kangaroo was designed to infiltrate a closed network or air-gapped computers within an organisation without requiring any direct access and is the kind of cyber-weapon that may well have been used to spread the Stuxnet virus.

The software consists of four specific applications. The server-side code called Shattered Assurance forms the basis of the attack system and infects USB drives plugged into an infected computer with malware known as Drifting Deadline. Once an infected drive is plugged into a target computer which is set up to auto-run its contents and is running .Net 4.5, Drifting Deadline deploys Shadow malware onto the system. The targeted device must also be using Windows 7 as an operating system.

Shadow can be used to set up covert channels which can be used to send files back and forth. It can also be configured to collect certain files based on filename patterns and modified times. USB drives can be configured to be converted into Shadow drives, which allocate 10 percent of a USB drive partition for moving files. Infected systems can receive packet broadcasts with instructions and collected files can be assembled for post-processing. If pieces are missing, the tool will label chunks as missing; these missing pieces of data can be collected and reassembled later.

The final application in Brutal Kangaroo is Broken Promise, which is a tool used to examine the data easily and quickly.