VAULT 7 | 'BothanSpy' and 'Gyrfalcon'- Implants That Steal SHH Credentials From Windows And Linux
Today WikiLeaks published further CIA documents from their Vault 7 series. The documents outline 2 computer implant projects named BothanSpy and Gyrfalcon. Both projects are designed to intercept and exfiltrate SSH credentials but each work on different operating systems and use different attack vectors.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.
BothanSpy - Wikileaks
- Windows based implant that steals user credentials for all active SSH sessions by exploiting SSH client program Xshell.
Xshell is a commercial SSH, Telnet client and Terminal Emulator by NetSarang Computer, Inc.
Installed as a Shellterm 3.x extension on the target machine.
Credentials stolen are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.
Exfiltrate stolen credentials straight to a CIA operated command and control server so the implant never touches the disk on the target system.
Gyrfalcon - Wikileaks
Implant that targets the OpenSSH client on Linux platforms (Centos, Debian, Rhel, Suse, Ubuntu).
The implant can not only steal user credentials of active SSH sessions. It is also capable however of collecting full or partial OpenSSH session traffic.
If information collected by these methods cannot be sent back to the a CIA control server then both implants are able to store the information in encrypted files for later collection.
Interestingly the name used for these implants is from the Star wars rebel alliance.