The user manual, released on Thursday. says that OutlawCountry can be used to redirect all outgoing traffic from a Linux box to a CIA-controlled machine.

The exploit itself is a kernel module that creates a hidden netfilter table on a Linux target machine.

An attacker who knows the table name can create firewall rules that take precedence over existing rules and remain hidden from users of the system or even an administrator.

The manual, which dates back to June 2015, does not say how one gains entry into a system to install the module or how it can be prevented from being removed by system updates.

It says that one needs shell access to a target in order to install the attack module and also needs to have root privileges.

OutlawCountry v1.0 has a kernel module for the 64-bit distribution of CentOS/RHEL 6.x and it will only work with the default kernel which is 2.6.32. (This kernel version is very old; for comparison, the current testing stream of Debian has a 4.9.0-3 kernel.)

This version of the malware only supports adding covert DNAT rules to the PREROUTING chain, according to the manual.

If the target machine's firewall is stopped or restarted, the attack module goes into a dormant state and has to be uninstalled and re-installed in order to become effective again.

The Vault 7 dumps began on 7 March and have been claimed to be the biggest leak of CIA documents so far.