🌐 CIA SSH Credential Stealing Tools - Vault7 🌐

Time to get on the tinfoil hat again Vault7 has dropped batch 15.

This time detailing implants which allows the interception and exfiltration of SSH login credentials from Windows and Linux

Who the hell comes up with these names?

BothanSpy

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Xshell is a commercial SSH, Telnet client and Terminal Emulator by NetSarang Computer, Inc. https://en.wikipedia.org/wiki/Xshell

https://wikileaks.org/vault7/#BothanSpy
https://wikileaks.org/vault7/document/BothanSpy_1_0-S-NF/

Gyrfalcon

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.