A new malware believed to have been developed by the US Central Intelligence Agency (CIA) was spotted from "a collection of malware samples" studied since February 2019.
Kaspersky, the cybersecurity firm that discovered the malware, said that it shared similarities with past CIA malware prompting them to track its activity and gave it the codename "Purple Lambert."
CIA's 'Purple Lambert' Spotted: What Can the Malware Do?
Kaspersky published an APT Trends report on Apr. 27, which details the cybersecurity firm's observations on activities in Q1 2021.
According to the report, the malware that Kaspersky named the Purple Lambert contains a certain network module that passively listens to network traffic and searches for a "magic packet."
The CIA's newly discovered malware can provide the agency with basic information about the system it had infected and can execute a payload it had received.
Kaspersky believes that the malware was compiled and deployed as early as 2014, and may have been continuously deployed until 2015.
The malware's functionality resembles that of a previous malware that was linked to a CIA document exposed in 2017.
Longhorn: CIA's Cyber-Espionage Tool
After Wikileaks exposed the CIA's cyber-hacking capabilities, Symantec published a blog on Apr. 2017 about the existence of Longhorn, the same malware Kaspersky called the Lambert family.
The report said that Longhorn uses a range of back door Trojans and zero-day vulnerabilities to infiltrate governments and internationally operating organizations, including natural resources, financial, telecoms, and energy sector.
Active since 2011, Longhorn was first detected by Symantec in 2014 after the malware used a zero-day exploit (CVE-2014-4148) attached to a Microsoft Office document intended to infect a CIA target.
The CVE-2014-4148 exploited Microsoft Windows TrueType Font (TTF) processing subsystem vulnerability to embed and deliver to the intended target.
Since TTFs are processed in kernel mode rather than an executable file, it gives the attacker unrestricted access to the infected system.
This is what made experts believe that Longhorn can spy on organizations or individuals from any internet-connected device.
Symantec has also found evidence that Longhorn had successfully infected 40 targets across 16 countries across Asia, Europe, Africa, and the Middle East.
CIA's Longhorn's Alleged Recent Cyberhacking Activity
Kaspersky reported having identified a malicious library in Mar. 2018 while analyzing another incident involving a suspected keylogger.
The malicious loader, which the Kaspersky named "Slingshot," can interact with a virtual file system and replaces the infected's legitimate Windows library 'scesrv.dll' with a malicious one, giving the attacker SYSTEM privileges.
Fast-forward on Mar. 2020, a Chinese cybersecurity firm Qihoo 360 revealed that it had caught cyberattacks perpetrated by the CIA hacking group that lasted for eleven years.
The report claims that the CIA targeted several industry sectors including the petroleum industry, scientific research institutions, aviation organizations, and government agencies.
Qihoo 360 said that the malware discovered could be traced to the same malware tool WikiLeaks exposed in 2017.
This article is owned by Tech Times
Written by Leigh Mercer