Casa > cibernético Notícias > BothanSpy, Implantes Gyrfalcon CIA para Windows, Linux furtar dados SSH
CYBER NEWS

BothanSpy, Implantes Gyrfalcon CIA para Windows, Linux furtar dados SSH

BothanSpy e Gyrfalcon são os nomes das últimas ferramentas de hacking da CIA descobertos pelo WikiLeaks e o despejo Vault7 já lendário. The tools are in fact implants designed to steal SSH credentials from two operating systems – Windows and Linux.

The non-profit has released a new batch of documents showing in detail two new CIA implants developed to intercept and exfiltrate SSH credentials from Windows and Linux via different attack methods. The tools can steal user credentials for all active SSH sessions and then send them back to the CIA.


BothanSpy Spy Implant for Windows – Details

BothanSpy has been created to target Windows, more specifically the Microsoft Windows Xshell client. It is installed as a Shellterm 3.x extension on the targeted system and could be exploited only when Xshell is running with active sessions.

Story relacionado: Ferramenta de vigilância Athena projetada para espionar no Windows XP - Windows 10

What is Xshell? A terminal emulator that supports SSH, SFTP, TELNET, RLOGIN, and SERIAL protocols for distributing leading features such as a tabbed environment, dynamic port forwarding, custom key mapping, etc.
o leaked user manual clarifies that BothanSpy only works with Xshell running on the targeted machine with active sessions. Em qualquer outro caso, the implant won’t be storing credentials in the location searched.

Other specifications to use the tool are:

In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection. Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended.


Gyrfalcon Spy Implant – Details

Como mencionado, Gyrfalcon was created to specifically target the OpenSSH client on various Linux distributions, such as CentOS, Debian, RHEL (chapéu vermelho), openSUSE and Ubuntu.

The Linux implant works on both 32- e sistemas de 64-bit, and along with it the CIA uses a custom malware known as JQC/KitV rootkit. It gives persistent access to compromised systems.

Gyrfalcon is able to collect full or partial OpenSSH session traffic. It also keeps the acquired information in a local encrypted file which is exfiltrated at a later stage.

As stated in the leaked user manual:

Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (incluindo credenciais de login), as well as execute commands on behalf of the legitimate user on the remote host.

The tool works automatically. It is configured in advance, executed on the remote host and left running, the manual reads. The operator returns later and commands Gyrfalcon to flush all of its collection to disk. The operator then retrieves the file, decrypts it, and analyzes whatever has been collected.

Story relacionado: OutlawCountry Exploit, Ferramenta da CIA para Sistemas Linux Compromise

There’s also a second version of Gyrfalcon which also has been published. The tool consists of two compiled binaries that should be uploaded to the targeted system.

Curiosamente, Gyrfalcon is not designed to provide communication services between the local operator computer and the target platform. The operator must use a third-party application to upload these three files to the target platform, as said the manual.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...