BothanSpy and Gyrfalcon are the names of the latest CIA hacking tools unearthed by WikiLeaks and the already legendary Vault7 dump. The tools are in fact implants designed to steal SSH credentials from two operating systems – Windows and Linux.
The non-profit has released a new batch of documents showing in detail two new CIA implants developed to intercept and exfiltrate SSH credentials from Windows and Linux via different attack methods. The tools can steal user credentials for all active SSH sessions and then send them back to the CIA.
BothanSpy Spy Implant for Windows – Details
BothanSpy has been created to target Windows, more specifically the Microsoft Windows Xshell client. It is installed as a Shellterm 3.x extension on the targeted system and could be exploited only when Xshell is running with active sessions.
What is Xshell? A terminal emulator that supports SSH, SFTP, TELNET, RLOGIN, and SERIAL protocols for distributing leading features such as a tabbed environment, dynamic port forwarding, custom key mapping, etc.
The leaked user manual clarifies that BothanSpy only works with Xshell running on the targeted machine with active sessions. In any other case, the implant won’t be storing credentials in the location searched.
Other specifications to use the tool are:
In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection. Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended.
Gyrfalcon Spy Implant – Details
As mentioned, Gyrfalcon was created to specifically target the OpenSSH client on various Linux distributions, such as CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
The Linux implant works on both 32- and 64-bit systems, and along with it the CIA uses a custom malware known as JQC/KitV rootkit. It gives persistent access to compromised systems.
Gyrfalcon is able to collect full or partial OpenSSH session traffic. It also keeps the acquired information in a local encrypted file which is exfiltrated at a later stage.
As stated in the leaked user manual:
Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (including login credentials), as well as execute commands on behalf of the legitimate user on the remote host.
The tool works automatically. It is configured in advance, executed on the remote host and left running, the manual reads. The operator returns later and commands Gyrfalcon to flush all of its collection to disk. The operator then retrieves the file, decrypts it, and analyzes whatever has been collected.
There’s also a second version of Gyrfalcon which also has been published. The tool consists of two compiled binaries that should be uploaded to the targeted system.
Interestingly, Gyrfalcon is not designed to provide communication services between the local operator computer and the target platform. The operator must use a third-party application to upload these three files to the target platform, as said the manual.