Wikileaks
BothanSpy
https://www.wikileaks.org/vault7/
6 July, 2017
Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

BothanSpy 1.0
Classification:SECRET//NOFORN
(S) Engineering Development Group (S) BothanSpy V1.0 (U) Tool Documentation Rev. 1.0 20 March 2015
Classified By: 2417940 Reason: 1.4(c)
Declassify On: 25X1, 20650309
Derived From: CIA NSCG COL S-06 SECRET//NOFORN
https://www.wikileaks.org/vault7/document/BothanSpy_1_0-S-NF/

Gyrfalcon 2.0 User Guide
Classification: SECRET//NOFORN
Gyrfalcon 2.0 Userʼs Guide November 26, 2013