RELEASE: #CIA implants targeting SSH on Windows and Linux #BothanSpy #Gryfalcon #KitV #Vault7 https://t.co/OMJYH3sLmA pic.twitter.com/KYCbXwmow8
— WikiLeaks (@wikileaks) July 6, 2017
Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.
BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.
https://wikileaks.org/vault7/#BothanSpy