VAULT 7 | 'BothanSpy' and 'Gyrfalcon'- Implants That Steal SHH Credentials From Windows And Linux

in #wikileaks4 years ago



Today WikiLeaks published further CIA documents from their Vault 7 series. The documents outline 2 computer implant projects named BothanSpy and Gyrfalcon. Both projects are designed to intercept and exfiltrate SSH credentials but each work on different operating systems and use different attack vectors.

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] The best known example application is for remote login to computer systems by users.


BothanSpy - Wikileaks

  • Windows based implant that steals user credentials for all active SSH sessions by exploiting SSH client program Xshell.

Xshell is a commercial SSH, Telnet client and Terminal Emulator by NetSarang Computer, Inc.

  • Installed as a Shellterm 3.x extension on the target machine.

  • Credentials stolen are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used.

  • Exfiltrate stolen credentials straight to a CIA operated command and control server so the implant never touches the disk on the target system.



Gyrfalcon - Wikileaks

  • Implant that targets the OpenSSH client on Linux platforms (Centos, Debian, Rhel, Suse, Ubuntu).

  • The implant can not only steal user credentials of active SSH sessions. It is also capable however of collecting full or partial OpenSSH session traffic.

V .png

If information collected by these methods cannot be sent back to the a CIA control server then both implants are able to store the information in encrypted files for later collection.

Interestingly the name used for these implants is from the Star wars rebel alliance.

Bothan spy.png



Steemit | Gab


- If You Would Like To Help Me Make More Great Original Content Please Consider Upvoting and Re-Steeming -


really great post thanks a lot for sharing and keep on posting ;)

Thank you. No problem.

thanks for the summary, really useful. They are really just infringing on everything we have now. There's a strong need to really protect what little privacy we have left

Yes. Assume everything is compromised and work back from there.

It's crazy what the CIA is able to do now. It's kind of cool that we can now see news on this in this alternative media of sorts. I never would have known. Also it's technically over my head, so thanks for explaining it somewhat.

Great post. Thank you for the contribution.
Reshared @phibetaiota


Peace and love to you as always.

Congratulations @fortified! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Coin Marketplace

STEEM 0.76
TRX 0.09
JST 0.072
BTC 53947.47
ETH 4040.82
BNB 583.92
SBD 7.05