Whistle blowing site Wikileaks released three documents as part of its Vault 7 leaks for two projects code-named BothanSpy and Gyrfalcon targeting network protocols. Both projects are aimed at intercept and extract SSH (Secure Shell) credentials for remote access to a server of a website. SSH is a cryptographic network protocol that secures network services over an unsecured network.
Both projects work on different type of operating system and have different attack patterns. BothaSpy affects the SSH credentials for Microsoft Windows and steals them from SSH sessions which are active. Then this stolen data is transferred or exfiltered upon a disk, encrypted with AES, at the user-provided path. BothanSpy only works if Xshell is running on the target, and it has active sessions. Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNETIf the target has a 64-bit Windows then the loader being used must support Wow64 injection.
Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It is an implant that targets Linux platforms and can steal the credentials, encrypting the information for later extraction. The tool runs in an automated fashion and is configured in advance, executed on the remote host and is left running. The operator may then come back and "flush" all its collection to an external disk. Gyrfalcon has the ability to track multiple outbound SSH sessions.