Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.
Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.
The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.
A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.
Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.
Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.
|Date||Hash||Command and Control|
While the malware remained functionally similar over the years, there were also some changes. For example, early versions of the malware communicated with the C&C server in plaintext (HTTP), while the network traffic of later versions is encrypted (HTTPS).
We analyzed the DLL dropped by the 2007 and the 2011 version of the malware and they are similar. In addition to having the same URL format for communication with the C&C server the two DLLs also use the exact same encryption key. The 2008 samples contain some differences as the attackers added then later dropped some commands such as “findpass2000” and “port2000” that only work on Windows 2000.
All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.
The Sykipot campaign remains a high priority threat.
* With analysis from Jonell Baltazar.