Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Sykipot is a malware family used as a backdoor that has been known since 2007, but continues to be active to this day. Recently, we have identified a new behavior from this old threat: it is now being used to gather intelligence about the civil aviation sector in the United States.

    Background

    The Sykipot malware family has been in use since 2007, with associated command-and-control (C&C) servers registered as early as 2006. It serves as a backdoor that an attacker can use to execute commands on the affected system. The malware also uploads and downloads files and can initiate timed SSL communication to C&C servers. These servers tend to use Netbox, a Windows server that allows deployment of ASP applications as standalone executables.

    Sykipot’s level of sophistication over time hasn’t necessarily advanced, but the consistent exploitation of zero-day attacks and the specific targeting indicates a certain level of expertise and funding to these operators.

    Targeted Industries

    Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this.

    Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector.  The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission.

    Attack Techniques

    Like most targeted attacks, Sykipot uses malicious attachments to spread. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. However, since July 2012, this particular tactic has been on the wane. Attackers have favored drive-by exploits that target the operating system itself or applications like web browsers and Java in drive-by attacks.

    Once Sykipot is running on the victim’s machine, it establishes an SSL connection to a C&C server where more malicious files are then downloaded and installed on the victim’s machine. The capabilities of the Sykipot framework allow for arbitrary code and commands to be run.

    Notable Changes

    The change –  slowly moving away from file-based exploits and into DLL or process injection –  is a notable observation on the evolution of the campaign.  The closed source intelligence of the most recent attacks shows consistency in methodology, tools and exploited target entity, but examining the targeted data suggests the campaign expanded beyond the typical US DIB and into more civilian sectors and infrastructure.

    Sykipot has been known to use unique identifiers in its code that corresponded to C&C paths like in the following example:

    • https://{C&C domain}/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{IP address}-{unique identifier}

    In later attacks, the above pattern was not seen. Instead, we saw the following string, which was not part of the URL and was further encrypted:

    • {hardcoded string}-{computer name}-{IP address}

    In addition, looking at the code shows the identifiers are changed as well. Previously, the format [wxyz][yymmdd] was sued. Now, the code contains the following snippet at address 0×10002050:

    sykipot-identifier-screenshot

    In this particular case, Y1 serves as the hardcoded string which we believe acts as an identifier.

    Other samples gathered from VirusTotal this year use the following strings:

    • Q1
    • X1
    • X5
    • X6

    Solutions and Conclusion

    The Sykipot variants related to these recent campaigns are detected as BKDR_SYKIPOT.AG.

    A major vector in the spread of Sykipot is the use of various software exploits through frequent use of zero-days.Thus, keeping systems updated and securely configured is the first technical defense against this campaign. However, organizations and users may have specific version requirements which may preclude upgrades. In such cases, virtual patching (or virtual shielding) may be of use. Trend Micro offers two solutions that enable administrators to deploy such solution: Deep Security and the Intrusion Defense Firewall.

    C&C connections of the Sykipot malware family is also detected by Deep Discovery, with the following rules:

    • Rule 551 – DNS APT DOMAINS
    • Rule 1045 – HTTP SYKIPOT REQUEST

    Since this attack typically arrives via email messages, it is important for organizations to implement an good social engineering program. This can help organizations, particularly employees, managers etc., to be wary of email messages that may carry malware related to campaigns like Sykipot.

    This campaign exercises just enough sophistication to be effective. It systematically targets significant US-based entities using tried and true methods for data exfiltration. Given its targets, successes, and perceived mission, it should be considered a serious threat not only to the US-based DIB. Other US sectors should also be aware and able to identify it.

    With additional analysis from Jay Yaneza and Jayronn Christian Bucu.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice