WikiLeaks Exposes CIA Targeting Linux Users With OutlawCountry Network Traffic Re-Routing Tool
OutlawCountry starts out as a Linux kernel module (nf_table_6_64.ko) that gets loaded into the system and subsequently creates a new entry in the iptables firewall configuration. After the deed is done, the original kernel module is no longer needed, so it's deleted.
Excerpt from CIA's OutlawCountry guide
At this point, an attacker could run an iptables command to reroute all of the traffic through a designated CIA data mining server, allowing the agency to spy on user activities and communications. The biggest threat here isn't winding up with the attack on a home PC, but more so a web server that could have thousands or even millions of people routing through it.
What's not clear at this point, is how the CIA expected to infect computers with this malware. Access to the machine is required, so it seems another exploit would allow an attacker to get in and then elevate to a privileged account to execute the attack. Falling victim to this particular attack, given its implementation, would pose almost no risk being sent as an email attachment, unless it was packaged as a script and still somehow managed to be run with root access.
OutlawCountry is just one of the many CIA leaks that WikiLeaks has released out as part of its Vault 7 series of data dumps, which have had more than a dozen separate leaks since the first back in March of this year.