WikiLeaks latest Vault7 offering includes two CIA hacking tools, BothanSpy and Gyrfalcon 2.0, which can swipe SSH credentials.
BothanSpy and Gyrfalcon target the Windows and Linux operating systems, respectively, reported Bleeping Computer.
According to the BothanSpy user manual, posted by Wikileaks and dating from 2015, this malware will “is a tool that targets the SSH client program Xshell and steals user credentials for all active SSH sessions. BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side. By using F&C, BothanSpy never touches disk.”
The even older Gyrfalcon manual states “The application compresses, encrypts, and stores the collected data into a collection file kept on the Linux platform's file system. Gyrfalcon is capable of collecting full or partial OpenSSH session traffic including user name and passwords of OpenSSH users.
Bleeping Computer noted that WikiLeaks has previously released 13 pieces of malware the hacktivist group claims has been pulled from the CIA.