Kaspersky cybersecurity firm described a new strain of malware that it attributes to the US Central Intelligence Agency (CIA).
Cybersecurity researchers from Kaspersky Labs say in February 2019, multiple antivirus companies received a collection of malware samples, some of them the company could not associate with any known APT group. These malware strains did not present any similarities with malware associated with other APT groups.
“The samples were compiled in 2014 and, accordingly, were likely deployed in 2014 and possibly as late as 2015,” Kaspersky wrote.
Analysis of these samples revealed that they were compiled in 2014 and shared coding patterns, style, and techniques with the code of Lambert APT (aka Longhorn APT).
“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert,” the cybersecurity company says in the APT trends report Q1 2021.
Kaspersky researchers write Purple Lambert consists of several modules, and its network module is passively listening for a specific packet.
Its capabilities include gathering system information and delivering additional payloads:
“It is capable of providing an attacker with basic information about the infected system and executing a received payload.”
Purple Lambert harvests basic information about the infected system and allows attackers to execute additional payloads.
Its functionality is similar to Gray Lambert, another user-mode passive listener, and White Lambert, which are kernel-mode passive-listener implants, researchers say.
A full Kaspersky report, available to subscribers of its APT threat reports, includes a description of both the passive-listener payload and the loader functionality included in Purple Lambert’s main module.