CIA programs to steal your SSH credentials (BothanSpy and Gyrfalcon)

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
1,210
Reaction score
2,240
Credits
3,485
WikiLeaks yesterday released documentation on two very specific scripts meant to steal OpenSSH login credentials from the client side. One script is for Windows clients, the other for Linux clients.

On the Windows side of things, they have released documentation on a script called BothanSpy. This program targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Their program works regardless of if you're using simple user/password, user/key, or user and key w/ password. It then sends the credentials / key file to a CIA-controlled server.

Similarly, on the Linux side, there is a program called Gyrfalcon. The documentation on this program was written in January, 2013 for v.1 and November 2013 for v.2. Scanning through the user guide for version 2.0 shows very detailed information on how to prepare and plant the software on the target computer, starting with how to cover your tracks:
(S//NF) The operator must obtain a thorough understanding of the Linux/UNIX command line interface and shells such as bash, csh, and sh. Gyrfalcon assumes that the operator knows the standard operating procedures for masking their activity within certain shells. For instance, if the operator is using the bash shell on the Linux platform, then Gyrfalcon assumes they executed the following commands at the shell's prompt before uploading, installing, and executing Gyrfalcon.
1. unset HISTFILE
2. export HISTFILE
3. HISTSIZE=0
4. export HISTSIZE
5. TERM=vt100
6. export TERM
7. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin …
8. export PATH

The document goes on in detail of what the package contains, for instance, Gyrfalcon clients and libraries in both 32bit and 64bit flavors for:
  • CentOS 5.6 - 6.4
  • RHEL 4.0 - 6.4
  • Debian 6.0.8
  • Ubuntu 11.10
  • SuSU 10.1
That being said, you have to remember the documentation was dated 2013, so you'd have to assume they have an updated version now to work with current Linux versions.

It continues on in detail on how to install it on the target system. Installing on the target system also requires that they install the JQC/KitV root kit, also developed by the CIA.

You can see they had a meeting about JQC as a rootkit in their NERDStech talk series meetings: https://fdik.org/wikileaks/year0/vault7/cms/page_2621796.html

So, secure your systems people. Attackers potentially trying to use these tools still need to somehow get a shell on your system in order to install this stuff.

Detecting on your system
As far as detecting on your system, that's going to be tough since:
  • The instructions note to name the script something before uploading/running it
  • We don't have a copy of any of the scripts they're talking about
But - we do know a couple things..
  • It runs in the background. A simple 'ps' will show you the processes and you should be able to spot something unfamiliar running, and kill it
  • history file gone would indicate that 'something' happened.. not necessarily this though.
  • if you find evidence of the 'CIA' JQC/KitV root kit on your system which may be tough..

More Information
WikiLeaks announcement:
https://wikileaks.org/vault7/#BothanSpy

Gyrfalcon 2.0 User Manual:
https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf

Gyrfalcon 1.0 User Manual:
https://wikileaks.org/vault7/document/Gyrfalcon-1_0-User_Manual/Gyrfalcon-1_0-User_Manual.pdf
 

Attachments

  • openssh_logo.png
    openssh_logo.png
    44.1 KB · Views: 1,569
Last edited:

Members online


Top