WikiLeaks has recently published new documents, revealing new CIA malware implants. The first implant, named BothanSpy, targets SSH client Xshell on Windows machines. The second implant, called Gyrfalcon, targets OpenSSH clients on Linux system. Both implants are capable of stealing user credentials and spying on the session traffic.
As described by WikiLeaks in BothanSpy’s description, it’s an implant that targets SSH client Xshell for Windows. The implant is installed as a Shellterm 3.x extension on the user’s machine.
The program credentials are either username and password, which are stolen for all active SSH sessions. By using the Fire and Collect (F&C) channel, the stolen credentials are exfiltrated. Before running BothanSpy on a target machine, one needs to start the F&C handler.
Moving on to Linux machines, CIA’s Gyrfalcon implant targets OpenSSH clients on Linux-based operating systems like CentOS, RHEL, Ubuntu, SUSE, Debian, etc. Apart from stealing the user credentials of all active SSH sessions, Gyrfalcon can also collect session traffic.
Gyrfalcon compresses, encrypts, and stores the collected data into a file on the Linux system. By using a third-party application, the collection file is transferred to the attacker.
Submitted by: Arnfried Walbrecht