Kaspersky said it discovered the malware in “a collection of malware samples” that its analysts and other security firms received in February 2019.
While an initial analysis did not find any shared code with any previously-known malware samples, Kaspersky has recently re-analysed the files and said it found that “the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families”.
Lamberts is the internal codename that Kaspersky uses to track CIA hacking operations.
Four years ago, after WikiLeaks exposed the CIA hacking capabilities to the public in a series of leaks known as Vault7, US security firm Symantec publicly linked the Vault7 hacking tools to the CIA and the Longhorn APT - another industry name for Lamberts.
Due to the shared similarities between these newly discovered samples and past CIA malware, Kasperksy said it is now tracking this new malware cluster as Purple Lambert.
The malware samples were compiled seven years ago and have not been seen in the wild yet. However, it is likely they were deployed in 2014 and possibly as late as 2015.
The malware acted as a backdoor trojan that listened to network traffic for specific packets that would activate it on infected hosts.
Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.