Security firm and anti-virus provider Kaspersky recently disclosed the findings of a novel malware cluster called Purple Lambert that was apparently developed by the Central Intelligence Agency (CIA) of the U.S.
Kaspersky’s Purple Lambert investigation:
According to Kaspersky, back in 2019, the malware was detected in “a collection of malware samples”, as the security firm puts it, which its analysts and other security firms had received.
Even though a preliminary investigation did not detect peculiar shared codes with formerly established malware samples, a freshly performed analysis uncovered that the samples have intersections of coding patterns, style, and techniques that have been seen in various Lambert (Kepaersky’s internal codename for CIA hacking operations) families.
Back in 2017, WikiLeaks had exposed the hacking capabilities of the CIA in a succession of leaks known as Vault7, US security firm Symantec publicly linked the Vault7 hacking tools to the CIA and the Longhorn APT – another industry name for Lamberts.
WikiLeaks is an international non-profit organization that is known for publishing news leaks and classified media provided by anonymous sources.
Abilities and parallels with Gray, White Lambert:
Regarding the Kaspersky investigation, they observed that there exist distinguished parallels between the freshly analyzed samples and the former CIA malware, and hence, the security firm is now tracing the new malware cluster as Purple Lambert.
Detailing the malware, Purple Lambert is architectured of numerous modules, with its network module passively listening for a magic packet.
It facilitates malicious actors with foundational data regarding the impacted system and executing a received payload.
What is peculiar is that some of its functionality is reminiscent of Gray Lambert, another user-mode passive listener.
“Purple Lambert applies functionality similar to, but in different ways, both Gray Lambert and White Lambert,” noted security experts.
The malware also worked as a backdoor trojan that listened to network traffic for specific packets that would activate it on infected hosts.