Vault 7: BothanSpy and Gyrfalcon
Documentation relating to more malware tools have been released as part of the WikiLeaks Vault 7 series.
BothanSpy is described as an implant which targets the popular Microsoft Windows SSH client, Xshell, and steals user credentials for all active SSH sessions. The credentials can be either a username and password or a private SSH key (and password, if set).
Gyrfalcon relates to an implant that targets the OpenSSH client in Linux platforms. The implant is able to steal user credentials from active sessions and is also capable of collecting OpenSSH traffic.
The compilation date of the documentation states that it was written in 2015, which suggests newer operating systems could be affected by the implants.
Affected Platforms:
Xshell version 3, build 0288
Xshell version 4, build 0127
Xshell version 5, build 0497
Xshell version 5, build 0537
Ubuntu 11.10 (x86/x64)
SuSE 10.1 (x86/x64)
RHEL 6.4 (x86/x64)
RHEL 5.10 (x86/x64)
RHEL 4.8 (x86/x64)
RHEL 4.0 (x86/x64)
Debian 6.0.8 (x86/x64)
CentOS 6.0.8 (x86/x64)
CentOS 6.4 (x86/x64)
CentOS 5.10 (x86/x64)
CentOS 5.6 (x86/x64)
Microsoft Windows Vista
- Monitor network and proxy logs for any anomalous behaviour.
- Consider remotely logging any attempts to access restricted platforms which may highlight suspicious activities.
- Make sure that users and services are only operating with the required level of privileges.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.