Vault 7 – BothanSpy and Gyrfalcon

Following on the series of leaked malware documentation from WikiLeaks, documentation relating to more tools have been released as part of the Vault 7 series. The documents describe BothanSpy and Gyrfalcon.

BothanSpy is described as an implant which targets the popular Microsoft Windows SSH client, Xshell and steals user credentials for all active SSH sessions. The credentials can be either a username and password or a private SSH key (and password, if set).

Gyrfalcon relates to an implant that targets the OpenSSH client in Linux platforms. The implant is able to steal user credentials from active sessions and is also capable of collecting OpenSSH traffic.

The compilation date of the documentations states that it was written in 2015, which suggests newer operating systems could be affected by the implants.

It is believed that in order for these tools to be used, a prior compromise would have had to occurred for the necessary privileges to be gained in order to install the implants. However, if this was achieved, it could have a high impact if credentials or private keys are re-used across several platforms, this could be exploited to perform lateral movement throughout a target network.

The full documentation can be found here: https://wikileaks.org/vault7/#BothanSpy




Indicators of Compromise

Associated Files:

• BothanSpy.dll
• BothanSpy.py
• ice_handler.py
• fnf_unpack.py
• BothanSpy.dll.META.xml

Affected Platforms

• Monitor network and proxy logs for any anomalous behaviour.
• Consider remotely logging any attempts to access restricted platforms which may highlight suspicious activities.
• Make sure that users and services are only operating with the required level of privileges.