Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(S) BothanSpy 1.0
1 (U) Tool Summary
(S//NF) BothanSpy is a tool that targets the SSH client program Xshell and steals user
credentials for all active SSH sessions. BothanSpy will exfiltrate the stolen credentials
through the Fire and Collect (F&C) channel and out to disk on the attacker-side. By
using F&C, BothanSpy never touches disk.
(S//NF) Many Bothan spies will die to bring you this information, remember their
sacrifice.
2 (U) Release Notes
(S//NF) Version 1.0 will officially support a handful of versions. See the compatibility
section for more information.
3 (U) User's Guide
3.1 (U) Change Log
Table 1: (S) Change log (contents SECRET)
Revision Date Author Notes
1.0 20 March,
2015
AED/RDB Initial version.
3.2 (U) File Information
Table 2: (S) File information (contents SECRET//NOFORN)
BothanSpy.dll
BothanSpy.py
ice_handler.py
fnf_unpack.py
BothanSpy.dll.META.xml
3.3 (U) File/Registry Access
(U) No registry access
(S//NF) If the Forget mode (v3) is used, BothanSpy writes stolen credentials to disk,
encrypted with AES, at the user-provided path. If Collect mode (v3) is used, there is zero
disk access.
SECRET//NOFORN
3