WikiLeaks today published the 15 batch of documents in the Vault 7 series. This time it describes two CIA implants that allow the intelligence service to monitor and intercept SSH (Secure Shell) certifications from targeted Windows and Linux operating systems using different attack modes.
Secure Shell or SSH is a cryptographic network protocol used for remote connection on machines and servers securely on an unsecured network.
The the first implant is called BothanSpy and is addressed to Windows operating systems, while the latter is called Gyrfalcon and targets the application OpenSSH on various Linux distributions such as CentOS, Debian, RHEL, openSUSE and Ubuntu.
Both implants steal user credentials for all active SSH sessions and then send them to a CIA-controlled server.
BothanSpy
BothanSpy is installed as extension Shellterm 3.x on the target machine and only works if Xshell is running and only in active sessions.
Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL protocols, providing port forwarding dynamics, custom key mapping, and VB scripting.
"To use BothanSpy on targets running an x64 version of Windows, the loader used must support Wow64 injection," the CIA user manual published by WikiLeaks states.
"Το Xshell έρχεται μόνο ως x86 binary, και επομένως το BothanSpy έχει γίνει compiled σαν x86. Το Shellterm 3.0+ υποστηρίζει το Wow64 injection και συνιστάται ιδιαίτερα."
Gyrfalcon
Gyrfalcon targets Linux systems (32 or 64 bit kernel) using a JQC / KitV rootkit developed by the CIA for continuous access.
Gyrfalcon is able to collect full or partial traffic from OpenSSH links and stores the stolen information in an encrypted file for later processing.
"The tool works in an automated way, it's preconfigured, it runs on the remote host and we let it run," says the Gyrfalcon v1.0 user manual.
"Ορισμένες φορές, ο χειριστής επιστρέφει και δίνει εντολή στο gyrfalcon να ξεκαθαρίσει ότι έχει συλλέξει στο δίσκο. Ο χειριστής ανακτά το αρχείο συλλογής, αποκρυπτογραφεί και αναλύει τα δεδομένα που έχουν συλλεχθεί."
The user manual published by WikiLeaks for Gyrfalcon v2.0 states that the implant consists of "two compiled binaries that must be uploaded to the target platform along with an encrypted configuration file."
"Η Gyrfalcon δεν παρέχει υπηρεσίες επικοινωνίας μεταξύ του τοπικού υπολογιστή και του χειριστή. Ο χειριστής θα πρέπει να χρησιμοποιήσει μια τρίτη εφαρμογή για να ανεβάσει αυτά τα τρία αρχεία στο στόχο".
Please be reminded that Wikileaks released documents in the Vault 7 series from 7 March, exposing more and more Coca-Cola Hacker tools.
"Year Zero"CIA exploits popular hardware and software.
"Weeping Angel"The spying tool that the service uses to penetrate smart TVs, turning them into disguised microphones.
"Dark Matter"Exploits targeting iPhones and Mac.
"Marble”The source code of a secret anti-forensic framework. It is essentially an obfuscator that the CIA uses to hide it real malware source.
"Grasshopper"A framework that allows the information service to easily create custom malicious software to violate Microsoft Windows and bypass any virus protection.
"Archimedes"- a MitM attack tool allegedly created by the CIA for targeting computers within a local area network (LAN).
Scribbles” a piece of software designed to add 'web beacons' to classified documents to allow intelligence to monitor leaks.
Athena:is designed to fully acquire full control over infected Windows computers, allowing the CIA to perform many functions on the target machine, such as deleting data or installing malicious software, data theft, and sending them to CIA servers.
CherryBlossom a tool that tracks the online activity of a target, redirects the browser, crawls e-mail addresses and phone numbers, and more through the router.
Brutal Kangaroo: A tool that can be used to infect air-gapped computers with malware.
ELSA Windows malware used by the CIA to identify the location of a particular user using his computer's Wi-Fi.
OutlawCountry: Linux malware that the CIA uses to determine the location of a particular user using its computer's Wi-Fi.
BothanSpy - Gyrfalcon: for SSH authentication theft from Windows and Linux respectively
