i BothanSpy – a NSA’s project to steal SSH credentials from Windows & Linux PCs – All things in moderation

BothanSpy – a NSA’s project to steal SSH credentials from Windows & Linux PCs

6 July, 2017 WikiLeaks Vault 7 secies public two NSA’ tools are BothanSpy – targets on Xshell client of Microsoft Windows, and Gyrfalcon – targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.

Both tools are steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

The collecting of credentials for each connection will be:
• Password authentication
– User name
– Password
• Public key authentication
– User name
– Private key file name (if available)
– Private key password

BothanSpy – for Windows OS

Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL for delivering industry leading features including dynamic port forwarding, custom key mapping, user defined buttons, and VB scripting.

BothanSpy is a tool that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side. By using F&C, BothanSpy never touches disk.

BothanSpy Version 1.0 will support the following version of Xshell:

  • Version 3, build 0288
  • Version 4, build 0127
  • Version 5, build 0497
  • Version 5, build 0537

File information.

CIA user manual reads: https://wikileaks.org/vault7/document/BothanSpy_1_0-S-NF/BothanSpy_1_0-S-NF.pdf

Gyrfalcon – for Linux OS

Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (including login credentials), as well as execute commands on behalf of the legitimate user on the remote host running Linux systems ( 32-bit and 64-bit kernel)

The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

CIA user manual reads:
– Gyrfalcon 1.0 User Guide: https://wikileaks.org/vault7/document/Gyrfalcon-1_0-User_Manual/
– Gyrfalcon 2.0 User Manual: https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Manual/

Previous CIA documents Leaked: https://hydrasky.com/network-security/wikileaks-cia-leak-vault-7-projects-series/

References

https://wikileaks.org/vault7/
http://thehackernews.com

Leave a Reply