WikiLeaks has dumped its newest Vault 7 documents, detailing the capabilities of two alleged CIA hacking tools dubbed BothanSpy and Gyrfalcon. The malware payloads have allegedly been designed to steal SSH credentials from systems running both Windows and Linux operating systems (OS).
According to WikiLeaks, while BothanSpy targets Windows computers, Gyrfalcon goes after Linux platforms. SSH credentials or Secure Shell credentials are cryptographic keys designed to securely access a remote computer or server. In other words, the two alleged CIA malware strains would allow spies to remotely hack into systems, likely without being detected.
What can BothanSpy do?
According to WikiLeaks, the malware implant targets the XShell program on Windows to steal user credentials, such as username, password, file name of private SSH key and key password, for all active SSH sessions.
"BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means," WikiLeaks said.
How does Gyrfalcon work?
WikiLeaks says that Gyrfalcon targets Linux platforms, including centos, debian, rhel, suse and ubuntu. The malware is allegedly installed and configured via a rootkit developed by the spy agency.
"The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration," WikiLeaks said.
This is WikiLeaks' 15<sup>th Vault 7 dump. The previous data dumps have detailed all the different alleged hacking tools the spy agency used to hack into various OS and devices, giving a glimpse of the CIA's pervasive tech powers.