Vault 7 Leaks : CIA Hacking Tools "BothanSpy" and "Gyrfalcon" Steals SSH Credentials From Windows and Linux Computers

WikiLeaks Revealed Another CIA Cyber Weapons called “BothanSpy” and “Gyrfalcon” steals the SSH Credentials from both Windows and Linux Platform and both tools are performing in Different OS Platform and Different Attack vector.

SSH (Secure Shell) Protocol is used for Communicate Network services securely from unsecured channel Especially for user Perform Remote Login and The standard TCP port 22 has been assigned for contacting SSH servers.

An implant BothanSpy Targets Windows Platform SSH client program Xshell and it Steals User Credentials for all active Sessions enabled Windows PC.

These Stolen Credentials will be either username and password, password-authenticated SSH sessions or username, Filename of SSH key and password if public key authentication is used

BothanSpy finally exfiltration the stolen credentials to a CIA-controlled server or else save it in an encrypted file and later it exfiltration to the CIA Controlled Server.

An Implant Gyrfalcon Targets the Linux Platforms(centos,debian,rhel,suse,ubuntu) OpenSSH client.

This Tool has some advance functions that can not only steal user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic.

BothanSpy – Steals SSH Credentials from Windows

BothanSpy Only Targeting Windows Platform and Steals user credentials for all active SSH sessions and SSH client program Xshell.

According to CIA Document, BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side.

Since BothanSpy Using F&C Channel, its never touches the Disk and it Writes Stolen Credentials to Disk that encrypted with AES.

BothanSpy.dll requires no configuration before it can be used and To setup the attack box touse F&C, copy the ice_handler.py script to the attack machine, and open a shell at this location.

Xshell should Run on the Targeting Windows Machine for BothanSpy perform itssuccessful Attack and it has active sessions, Otherwise, Xshell is not storing credential information in the location BothanSpy will search.

To Steal the Targets Credentials from all running Xshell processes that have active SSH ,CIA Used Following Command

>BothanSpy BothanSpy.dll> Forget
folder on target>\<base file name> <passphrase>

BothanSpy Much concern with Xshell versions and it failed to steal the credentials from some of the version (Xshell version 2 build 0910).

Important Consideration of BothanSpy is, it will not perform version checking at any stage.

Gyrfalcon – Steals SSH Credentials from Linux

According to the CIA Document, Gyrfalcon is an SSH session “sharing” tool operates on outbound OpenSSH sessions from the target host which is Capable of log SSH sessions including Login credentials.

By Executing the command, a legitimate user on the remote host can able to access the logged credentials.

“It is configured in advance, executed on the remote host and left running. Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Based on the Configuration with a list of target IP address/netmask combinations, this tool has the ability to track multiple outbound SSH sessions.

To Execute the Process, by added “a” Command and the Following information, operator promote into initiate the attack.

Specify an IPv4 or IPv6 address/netmask:
Specify Collection Behavior
Specify the path to executable file.

Document Intimate that, Gyrfalcon writes to a collection file in its working directory. The filename was specified in the config file. Gyrfalcon continues to stream data to this file during the course of its normal operation.

The operator must signal gyrfalcon to flush its collection buffers before the data can be collected.

All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed rootkit (JQC/KitV) on the target machine.