Skip to main content

BothanSpy & Gyrfalcon :CIA Malware Can Steal SSH Credentials

ssh hack nsa windows linux
WikiLeaks has recently published new documents, revealing new CIA malware implants. The first implant, named BothanSpy, targets SSH client Xshell on Windows machines. The second implant, called Gyrfalcon, targets OpenSSH clients on Linux system. Both
implants are capable of stealing user credentials and spying on the session traffic.
While Windows users were getting affected by new threats like WannaCry and Petya/NotPetya, Linux users stayed untouched. However, this doesn’t mean that Linux is an unhackable operating system. Just last week I told you about CIA’s OutlawCountry malware that targetted Linux machines using malicious kernel modules.
Today, I’m going to tell you about two more CIA malware unveiled by WikiLeaks, as a part of the ongoing Vault 7 leak, which target Windows and Linux computers and steal SSH credentials and session traffic. Talking specifically about the tools, they are implants, which are basically malware payloads.
So, let’s tell you about these SSH hacking tools one by one in brief:

BothanSpy implant for Windows

As described by WikiLeaks in BothanSpy’s description, it’s an implant that targets SSH client Xshell for Windows. The implant is installed as a Shellterm 3.x extension on the user’s machine.
The program credentials are either username and password, which are stolen for all active SSH sessions. By using the Fire and Collect (F&C) channel, the stolen credentials are exfiltrated. Before running BothanSpy on a target machine, one needs to start the F&C handler.
Though not preferred, BothanSpy also works in Fire and Forget (F&F) mode. This mode creates files on the machine that contain the credential passed from Xshell, with AES-256 encryption.
You can read further technical details on BothanSpy in this leaked document. If you’re a Star Wars fan, you’ll love the references!

Gyrfalcon implant for Linux

Moving on to Linux machines, CIA’s Gyrfalcon implant targets OpenSSH clients on Linux-based operating systems like CentOS, RHEL, Ubuntu, SUSE, Debian, etc. Apart from stealing the user credentials of all active SSH sessions, Gyrfalcon can also collect session traffic.
Gyrfalcon compresses, encrypts, and stores the collected data into a file on the Linux system. By using a third-party application, the collection file is transferred to the attacker.
For using Gyrfalcon, the attacker must have a thorough knowledge of Linux/Unix command line and shells like bash, csh, and sh. The user also needs to understand the Linux computing environment for correctly configuring Gyrfalcon. The Gyrfalcon library needs to be installed with root privilege.
You can read more details regarding working and installation of Gyrfalcon in this leaked manual.



Samsung Overtakes Fitbit In Wearable Sales For First Time

Fitbit has been a top competitor on the global wearable market for a long time, but the South Korea giant Samsung managed to steal the silver crown of the wearable market from Fitbit. According to Strategy Analytics, Samsung gained the

Supermassive Black Holes Found Orbiting Each Other For The First Time

Image Credit: UCR Researchers from Stanford University have identified super-massive binary black holes at the center of Galaxy 0402+379 about 750 billion light years away. The two of the black holes are just 24 light years apart and one of them is orbiting the other. This is the first

System76 Announces Its Own Linux Distribution Named Pop!_OS

Image: System76 Linux machine vendor System76 has launched their own operating system named Pop!_OS. Based on Ubuntu GNOME, this new Linux distro’s Alpha version is right now available for download. The first final release of Pop!_OS will be shipped

"The corruption is everywhere" - Take a look at what a Nigerian saw in the cupcake he bought

A Nigerian man who bought something he thought was a cupcake, got the shocker of his life after he opened the package to see it was a well packaged "bread".

A Nigerian man who bought something he thought was a cupcake, got the shocker of his life after he opened the package to see it was a well packaged "bread".