Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
3.4 (U) Compatibility
(S//NF) BothanSpy only works if Xshell is running on the target, and it has active
sessions. Otherwise, Xshell is not storing credential information in the location
BothanSpy will search.
(S//NF) Version 1.0 will 'officially' support the following version of Xshell:
• Version 3, build 0288
• Version 4, build 0127
• Version 5, build 0497
• Version 5, build 0537
(S//NF) The term 'officially' means that these versions were available to the developer to
test against. BothanSpy is written to handle versions not on the above list. BothanSpy
takes a very paranoid approach when collecting credential information. However, there
is always some risk (no matter how small it may be) to using BothanSpy against an
untested/unofficial version of Xshell.
(S//NF) Practically speaking, using BothanSpy against versions of Xshell bewteen
version 4 build 0127 and version 5 build 0537 is likely extremely low risk; The changes
between version 4 build 0127 and version 5 build 0497 were tiny. It is likely that
versions in between will match either one of the two internally and BothanSpy will work
just fine.
(S//NF) BothanSpy was tested against a copy of Xshell version 2 build 0910 (almost 9
years old). BothanSpy did not scrape credentials because of a critical difference between
version and versions 4/5. However, BothanSpy did not crash the process. Using
BothanSpy against versions older than version 4 has a low risk, but it is still risky
compared to using BothanSpy against versions 4/5 of Xshell. BothanSpy will not
perform version checking at any stage. Make sure you understand the risk of using
BothanSpy before using it against unknown versions. Feel free to contact the developer
to ask specific questions about BothanSpy and its risks.
(S//NF) In order to use BothanSpy against targets running a x64 version of Windows, the
loader being used must support Wow64 injection. Xshell only comes as a x86 binary,
and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection,
and Shellterm is highly recommended.
SECRET//NOFORN
4