On Thursday, July 6, Wikileaks released documents on two projects, BothanSpy and Gyrfalcon, linking both to the CIA. The batch, named BothanSpy after the first of the tools, is the 15th in the Vault 7 series.
BothanSpy is a trojan Shellterm 3.x extension designed to steal the credentials for all active SSH sessions opened with the Xshell remote access tool. In case of authentication by login and password, both are either sent to a CIA-controlled server or stored in an encrypted file on the local drive for an operator to download it later. If a public key is used, the latter will be stolen.
Gyrfalcon is a similar malware for Linux. Taking an advantage of OpenSSH client, it is able to intercept the traffic of SSH sessions, not only steal credentials used in active sessions. The collected data are saved in a local encrypted file. To install and configure Gyrfalcon, the JQC/KitV rootkit is applied, also attributed by Wikileaks to the spy agency. After that, “Gyrfalcon does not provide any communication services between the local operator computer and target platform,” according to the user guide to version 2.
According to the leaked user guides, all classified as “SECRET//NOFORN”, Gyrfalcon has been used since at least January 28, 2013, as the guide to its first version was dated. Version 2 of the tool was created later that year, on November 26. BothanSpy has been in use since at least March 2015.
Gyrfalcon works at least on 32 and 64-bit versions of Debian, Ubuntu, RHEL, CentOS, and OpenSuse. BothanSpy supports only 64-bit Windows installations.