Skip to main content

BothanSpy & Gyrfalcon :CIA Malware Can Steal SSH Credentials


ssh hack nsa windows linux
WikiLeaks has recently published new documents, revealing new CIA malware implants. The first implant, named BothanSpy, targets SSH client Xshell on Windows machines. The second implant, called Gyrfalcon, targets OpenSSH clients on Linux system. Both
implants are capable of stealing user credentials and spying on the session traffic.
While Windows users were getting affected by new threats like WannaCry and Petya/NotPetya, Linux users stayed untouched. However, this doesn’t mean that Linux is an unhackable operating system. Just last week I told you about CIA’s OutlawCountry malware that targetted Linux machines using malicious kernel modules.
Today, I’m going to tell you about two more CIA malware unveiled by WikiLeaks, as a part of the ongoing Vault 7 leak, which target Windows and Linux computers and steal SSH credentials and session traffic. Talking specifically about the tools, they are implants, which are basically malware payloads.
So, let’s tell you about these SSH hacking tools one by one in brief:

BothanSpy implant for Windows

As described by WikiLeaks in BothanSpy’s description, it’s an implant that targets SSH client Xshell for Windows. The implant is installed as a Shellterm 3.x extension on the user’s machine.
The program credentials are either username and password, which are stolen for all active SSH sessions. By using the Fire and Collect (F&C) channel, the stolen credentials are exfiltrated. Before running BothanSpy on a target machine, one needs to start the F&C handler.
Though not preferred, BothanSpy also works in Fire and Forget (F&F) mode. This mode creates files on the machine that contain the credential passed from Xshell, with AES-256 encryption.
You can read further technical details on BothanSpy in this leaked document. If you’re a Star Wars fan, you’ll love the references!

Gyrfalcon implant for Linux

Moving on to Linux machines, CIA’s Gyrfalcon implant targets OpenSSH clients on Linux-based operating systems like CentOS, RHEL, Ubuntu, SUSE, Debian, etc. Apart from stealing the user credentials of all active SSH sessions, Gyrfalcon can also collect session traffic.
Gyrfalcon compresses, encrypts, and stores the collected data into a file on the Linux system. By using a third-party application, the collection file is transferred to the attacker.
For using Gyrfalcon, the attacker must have a thorough knowledge of Linux/Unix command line and shells like bash, csh, and sh. The user also needs to understand the Linux computing environment for correctly configuring Gyrfalcon. The Gyrfalcon library needs to be installed with root privilege.
You can read more details regarding working and installation of Gyrfalcon in this leaked manual.

Comments

WHAT'S HOT

Amazon Cuts Huawei Watch 2 Price To $194.99

Huawei's latest smartwatch has received a temporary price cut in the United States. There is no word on how long the promotion will last, but those interested

This Medical Camera Can See Right Through Human Body

Now, a team at the University of Edinburgh has developed a medical camera that can see right through your body. This new camera works by detecting light sources inside the body, such as

Google Search About To Receive A New “Speed Test Tool”, Here Is How To Use It

I use the Speed Test tool by Ookla to check the speed of my broadband connection. Generally, I use Google Search to visit the website. But the last time when I Googled the term “speed test,” I didn’t have to go much further than the search result itself.

The First Ubuntu 17.10 Beta Release Is Finally Here-Download 7 Different Flavors Here

Following the tradition, the first Beta release hasn’t witnessed the participation of default Ubuntu release, which will now ship with GNOME desktop environment. This brings us to the