Security firm Kaspersky believes it found new CIA malware

Cybersecurity firm Kaspersky said today it discovered new malware that appears to have been developed by the US Central Intelligence Agency.

Kaspersky said it discovered the malware in "a collection of malware samples" that its analysts and other security firms received in February 2019.

While an initial analysis did not find any shared code with any previously-known malware samples, Kaspersky has recently re-analyzed the files and said it found that "the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families."

Lamberts is the internal codename that Kaspersky uses to track CIA hacking operations.

Four years ago, after WikiLeaks exposed the CIA hacking capabilities to the public in a series of leaks known as Vault7, US security firm Symantec publicly linked the Vault7 hacking tools to the CIA and the Longhorn APT (another industry name for Lamberts).

Good work from Symantec researchers analyzing the #Longhorn APT (aka #Lamberts at Kaspersky). https://t.co/XSnUp4aogn

— Costin Raiu (@craiu) April 10, 2017

Due to the shared similarities between these newly discovered samples and past CIA malware, Kasperksy said it is now tracking this new malware cluster as Purple Lambert.

Based on Purple Lambert metadata, the malware samples appear to have been compiled seven years ago, in 2014.

Kaspersky said that while it has not seen any of these samples in the wild, they believe Purple Lambert samples "were likely deployed in 2014 and possibly as late as 2015."

As for what this malware does, Kaspersky's description of Purple Lambert appears to suggest the malware acted as a backdoor trojan that listened to network traffic for specific packets that would activate it on infected hosts. Kaspersky's full description is below, from its quarterly APT report released today:

Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.

With the exception of the Shadow Brokers and Vault7 leaks, news about US cyber-espionage operations and hacking tools are extremely rare in the cyber-security field.

Since the Vault7 leak, there have been only three reports about US-made malware and hacking operations.

The first was Kaspersky's March 2018 Slingshot report that exposed a US Cyber Command intelligence-gathering operations aimed at ISIS militants in the Middle East.

The second was a November 2019 ESET report that exposed DePriMon, another CIA/Lamberts-linked malware strain.

The third was a March 2020 report from Chinese security firm Qihoo 360 that exposed an 11-years-long CIA hacking operation aimed at China's civil aviation sector.