A new malware believed to have been developed by the US Central Intelligence Agency (CIA) was spotted from “a collection of malware samples” studied since Feb. 2019.

Kaspersky, the cybersecurity firm that discovered the malware, said that it shared similarities with past CIA malware prompting them to track its activity and gave it the codename “Purple Lambert.”

CIA’s ‘Purple Lambert’ Spotted: What Can the Malware Do?

Kaspersky published an APT Trends report on Apr. 27, which details the cybersecurity firm’s observations on activities in Q1 2021.

According to the report, the malware that Kaspersky named the Purple Lambert contains a certain network module that passively listens to network traffic and searches for a “magic packet.”

The CIA’s newly discovered malware can provide the agency with basic information about the system it had infected and can execute a payload it had received.

Kaspersky believes that the malware was compiled and deployed as early as 2014, and may have been continuously deployed until 2015.

The malware’s functionality resembles that of a previous malware that was linked to a CIA document exposed in 2017.

Also Read: WikiLeaks Claims CIA Can Kill People By Hacking Cars: The Dangers Of Modern Auto Tech

Longhorn: CIA’s Cyber-Espionage Tool

After Wikileaks exposed the CIA’s cyber-hacking capabilities, Symantec published a blog on Apr. 2017 about the existence of Longhorn, the same malware Kaspersky called the Lambert family.

The report said that Longhorn uses a range of back door Trojans and zero-day vulnerabilities to infiltrate governments and internationally operating organizations, including natural resources, financial, telecoms, and energy sector.

Active since 2011, Longhorn was first detected by Symantec in 2014 after the malware used a zero-day exploit (CVE-2014-4148) attached to a Microsoft Office document intended to infect a CIA target.

The CVE-2014-4148 exploited Microsoft Windows TrueType Font (TTF) processing subsystem vulnerability to embed and deliver to the intended target.

Since TTFs are processed in kernel mode rather than an executable file, it gives the attacker unrestricted access to the infected system.

This is what made experts believe that Longhorn can spy on organizations or individuals from any internet-connected device.

Symantec has also found evidence that Longhorn had successfully infected 40 targets across 16 countries across Asia, Europe, Africa, and the Middle East.

CIA’s Longhorn’s Alleged Recent Cyberhacking Activity

Kaspersky reported having identified a malicious library in Mar. 2018 while analyzing another incident involving a suspected keylogger.

The malicious loader, which the Kaspersky named “Slingshot,” can interact with a virtual file system and replaces the infected’s legitimate Windows library ‘scesrv.dll’ with a malicious one, giving the attacker SYSTEM privileges.

Kaspersky Lab European Strategic Session 2018

(Photo : Andreas Rentz/Getty Images)
Eugene Kaspersky, Chief Executive Officer, speaks at the Kaspersky Lab European Strategic Session on March 19, 2018 in Budapest, Hungary.

Fast-forward on Mar. 2020, a Chinese cybersecurity firm Qihoo 360 revealed that it had caught cyberattacks perpetrated by the CIA hacking group that lasted for eleven years.

The report claims that the CIA targeted several industry sectors including the petroleum industry, scientific research institutions, aviation organizations, and government agencies.

Qihoo 360 said that the malware discovered could be traced to the same malware tool WikiLeaks exposed in 2017.

Related Article: WikiLeaks Exposes CIA Tools Targeting MacBooks And iPhones: Here’s What They Do

This article is owned by Tech Times

Written by Leigh Mercer

ⓒ 2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.



Leave A Reply