Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1. (U) Scope
(U) This document establishes the User Guide for Drifting Deadline v1.2.
1.1 (U) System Overview and Description of Brutal Kangaroo tool suite
(S) Brutal Kangaroo is a tool suite for targeting closed networks by air gap jumping using
thumbdrives. Brutal Kangaroo components create a custom covert network within the
target closed network and providing functionality for executing surveys, directory
listings, and arbitrary executables.
(S) The Brutal Kangaroo project consists of the following components:
• Drifting Deadline: A thumbdrive infection tool.
• Shattered Assurance: A server tool that handles automated infection of
thumbdrives and the primary mode of propagation for the Brutal Kangaroo suite.
Shattered Assurance utilizes Drifting Deadline for the individual infection of
thumbdrives
• Broken Promise: The Brutal Kangaroo postprocessor
• Shadow: The primary persistence mechanism. Shadow is a stage 2 tool that is
distributed across a closed network and acts as a covert command-and-control
network.
(S) The creation of Brutal Kangaroo deprecates the following IOC tools:
• EZCheese (Replaced by Drifting Deadline)
• Emotional Simian (Replaced by Drifting Deadline AND Shattered Assurance)
1.2 (U) Assumptions and Constraints
(S) Drifting Deadline requires the operator to be in possession of the USB drive in order
to configure it.
(S) Drifting Deadline configuration requires .Net 4.5 on the computer that does the
configuration.
(S) The majority of user guidance is provided by the configuration tool itself. This user
guide is focused more on the back end of the program.
1.3 (U) Terms
(S) Infection: The installation of a configured Drifting Deadline onto a specific
thumbdrive.
SECRET//NOFORN
1