WikiLeaks: How does the CIA steal SSH certifications?

WikiLeaks today published the 15 batch of documents in the Vault 7 series. This time it describes two CIA implants that allow the intelligence service to monitor and intercept SSH (Secure Shell) certifications from targeted Windows and Linux operating systems using different attack modes.

Secure Shell or SSH is a cryptographic network protocol used to remotely connect machines and servers safely to an insecure network.WikiLeaks

The the first implant is called BothanSpy and is addressed to Windows operating systems, while the latter is called Gyrfalcon and targets OpenSSH in various Linux distributions such as CentOS, Debian, RHEL, openSUSE and Ubuntu.

Both implants steal user credentials for all active SSH sessions and then send them to a CIA-controlled server.


BothanSpy is installed as a Shellterm extension 3.x on the target machine and only works if Xshell runs and only on active sessions.

Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL protocols, providing port forwarding dynamics, custom key mapping, and VB scripting.

"To use BothanSpy on targets running an x64 version of Windows, the loader used must support Wow64 injection," says the CIA User Guide published by WikiLeaks.

"Xshell only comes as x86 binary, so BothanSpy has been compiled as x86. Shellterm 3.0+ supports Wow64 injection and is highly recommended. ”

  Facebook hack: See if your account has been affected


Gyrfalcon targets Linux systems (32 or 64 bit kernel) using a JQC / KitV rootkit developed by the CIA for continuous access.

Gyrfalcon is able to collect full or partial traffic from OpenSSH links and stores the stolen information in an encrypted file for later processing.

"The tool works in an automated way, is pre-configured, runs on the remote host, and lets it run," says the Gyrfalcon v1.0 user manual.

"Sometimes, the operator returns and instructs the gyrfalcon to clarify what he has collected on the disk. The operator retrieves the collection file, decrypts and analyzes the collected data. ”

The user manual published by WikiLeaks for Gyrfalcon v2.0 states that the implant consists of "two compiled binaries that must be uploaded to the destination platform along with an encrypted configuration file".

"Gyrfalcon does not provide communication services between the local computer and the operator. The operator will have to use a third-party application to upload these three files to the target.

Please be reminded that Wikileaks released documents in the Vault 7 series from 7 March, exposing more and more Coca-Cola Hacker tools.

"Year Zero"CIA exploits popular hardware and software.
"Weeping Angel"The spying tool that the service uses to penetrate smart TVs, turning them into disguised microphones.
"Dark Matter"Exploits targeting iPhones and Mac.
"Marble"The source code of a secret anti-forensic framework. It is basically a obfuscator that CIA uses to hide the real source of malware.
"Grasshopper"A framework that allows the information service to easily create custom malicious software to violate Microsoft Windows and bypass any virus protection.

"Archimedes"- a MitM attack tool allegedly created by the CIA for targeting computers within a local area network (LAN).
Scribbles"A software that is designed to add 'web beacons' to secret documents to allow for leakage control by secret services.
Athena:is designed to fully acquire full control over infected Windows computers, allowing the CIA to perform many functions on the target machine, such as deleting data or installing malicious software, data theft, and sending them to CIA servers.
CherryBlossom a tool that tracks the online activity of a target, redirects the browser, crawls e-mail addresses and phone numbers, and more through the router.
Brutal Kangaroo: A tool that can be used to infect air-gapped computers with malware.
ELSA Windows malware used by the CIA to identify the location of a particular user using his computer's Wi-Fi.
OutlawCountry: Linux malware that the CIA uses to determine the location of a particular user using its computer's Wi-Fi.
BothanSpy - Gyrfalcon: for SSH authentication theft from Windows and Linux respectively

Registration in via email

Your email for sending each new post

Follow us on Google News at Google news

Leave a reply

Your email address Will not be published.

  + 12 = 17

Previous Story

ESET diachronic survey TeleBots Petya

Next Story

Hydrogen One is the first holographic Android smartphone