Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Darin Dutcher (Targeted Attacks Researcher)

    Sykipot is a malware family used as a backdoor that has been known since 2007, but continues to be active to this day. Recently, we have identified a new behavior from this old threat: it is now being used to gather intelligence about the civil aviation sector in the United States.


    The Sykipot malware family has been in use since 2007, with associated command-and-control (C&C) servers registered as early as 2006. It serves as a backdoor that an attacker can use to execute commands on the affected system. The malware also uploads and downloads files and can initiate timed SSL communication to C&C servers. These servers tend to use Netbox, a Windows server that allows deployment of ASP applications as standalone executables.

    Sykipot’s level of sophistication over time hasn’t necessarily advanced, but the consistent exploitation of zero-day attacks and the specific targeting indicates a certain level of expertise and funding to these operators.

    Targeted Industries

    Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this.

    Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector.  The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission.

    Attack Techniques

    Like most targeted attacks, Sykipot uses malicious attachments to spread. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. However, since July 2012, this particular tactic has been on the wane. Attackers have favored drive-by exploits that target the operating system itself or applications like web browsers and Java in drive-by attacks.

    Once Sykipot is running on the victim’s machine, it establishes an SSL connection to a C&C server where more malicious files are then downloaded and installed on the victim’s machine. The capabilities of the Sykipot framework allow for arbitrary code and commands to be run.

    Notable Changes

    The change –  slowly moving away from file-based exploits and into DLL or process injection –  is a notable observation on the evolution of the campaign.  The closed source intelligence of the most recent attacks shows consistency in methodology, tools and exploited target entity, but examining the targeted data suggests the campaign expanded beyond the typical US DIB and into more civilian sectors and infrastructure.

    Sykipot has been known to use unique identifiers in its code that corresponded to C&C paths like in the following example:

    • https://{C&C domain}/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{IP address}-{unique identifier}

    In later attacks, the above pattern was not seen. Instead, we saw the following string, which was not part of the URL and was further encrypted:

    • {hardcoded string}-{computer name}-{IP address}

    In addition, looking at the code shows the identifiers are changed as well. Previously, the format [wxyz][yymmdd] was sued. Now, the code contains the following snippet at address 0x10002050:


    In this particular case, Y1 serves as the hardcoded string which we believe acts as an identifier.

    Other samples gathered from VirusTotal this year use the following strings:

    • Q1
    • X1
    • X5
    • X6

    Solutions and Conclusion

    The Sykipot variants related to these recent campaigns are detected as BKDR_SYKIPOT.AG.

    A major vector in the spread of Sykipot is the use of various software exploits through frequent use of zero-days.Thus, keeping systems updated and securely configured is the first technical defense against this campaign. However, organizations and users may have specific version requirements which may preclude upgrades. In such cases, virtual patching (or virtual shielding) may be of use. Trend Micro offers two solutions that enable administrators to deploy such solution: Deep Security and the Intrusion Defense Firewall.

    C&C connections of the Sykipot malware family is also detected by Deep Discovery, with the following rules:

    • Rule 551 – DNS APT DOMAINS
    • Rule 1045 – HTTP SYKIPOT REQUEST

    Since this attack typically arrives via email messages, it is important for organizations to implement an good social engineering program. This can help organizations, particularly employees, managers etc., to be wary of email messages that may carry malware related to campaigns like Sykipot.

    This campaign exercises just enough sophistication to be effective. It systematically targets significant US-based entities using tried and true methods for data exfiltration. Given its targets, successes, and perceived mission, it should be considered a serious threat not only to the US-based DIB. Other US sectors should also be aware and able to identify it.

    With additional analysis from Jay Yaneza and Jayronn Christian Bucu.

    Posted in Targeted Attacks | Comments Off on Sykipot Now Targeting US Civil Aviation Sector Information

    Although an estimated 1,000 websites, 35,000 email credentials, and over 100,000 Facebook accounts have been claimed as compromised since the announcement of #OpPetrol last month, attacker participation and the overall sophistication of the attacks leading into June 20 appears to be limited. These defacements and disclosures are consistent with what has been seen in recent operations, where the attacks did not seem to get much traction.

    An operation like #OpPetrol, however, allows opportunities for different attackers with different skill sets and agenda to join in the cause and execute their own missions. Furthermore, not all sectors have equal resiliency and countermeasures, so tempered caution with proactive security countermeasures is highly recommended.

    Our researchers have been monitoring the situation with a myriad of global threat intelligence resources. We traced malicious activities to the targeted sites and found IPs that have been identified in the past as compromised and being used as C&Cs by bot herders. It appears connections were made to the target sites with the intention of gaining further access or prepping for a DDoS.

    We also found that the malware CYCBOT is being used to drive the infected systems into the target sites. Initially emerging in 2011, CYCBOT has already been primarily used in the past to drive traffic to sites, particularly ad sites. It is known to be distributed via pay-per-install schemes.

    A significant number of targeted government websites in Kuwait, Qatar, and Saudi Arabia have gone offline after having received attacks from recently compromised IPs. These IPs statistically have not recently communicated to those government sites.

    We will continue to monitor this attack and report our findings. You can also check some steps on how you can keep your organization safe before, during, and after targeted attacks like these in my recent entry Anonymous’ #OpPetrol: What is it, What to Expect, Why Care?.

    Posted in Targeted Attacks | Comments Off on Anonymous #OpPetrol: Leading into June 20

    Last month, the hacker collective Anonymous announced their intention to launch cyber attacks against the petroleum industry (under the code name #OpPetrol) that is expected to last up to June 20.

    Their claimed reason for this attack is primarily due to petroleum being sold with the US dollar instead of currency of the country where petroleum originates. However, there had been some discussions seen online suggesting that the reason to launch new attacks was due to both #OpIsrael and #OpUSA being regarded as ineffective.

    Users should note that June 20 is only the day that most attacks are expected to occur and/or be made public. Similar to last month’s #OpUSA, they have begun mobilizing prior that date. Since the announcement of this operation, targets have been hit, credentials have been stolen, and the list of targets is already growing.

    It is also not uncommon for these activities to be used as a distraction to mask other attacks. Based on the collateral damage recorded from previous operations and data leaks outside publicized attack dates, their targeting and timing aren’t always precise either.

    An announced operation like this is a good opportunity for all current existing and potential targets to exercise the necessary steps to protect themselves. Everyone is a target eventually; there will always be vulnerabilities to be exploited for cause or profit.

    If your organization or country you defend is a potential target in this operation, you should consider doing the following steps (see below) and possibly more. If you’re in anyway connected to the targeted industries or located in one of the potential target countries, we advise that you consider going through these steps anyway. However, if you are not affected or linked to the expected targets, you may use these steps as proactive measures against attacks like #OpPetrol.

    Before June 20:

    • Ensure all IT systems (OSs, applications, websites, etc.) are updated.
    • Ensure IT security systems are current, have as wide a view as they can, and can inspect deeply. Can they detect and prevent phases of attack plan and can they be integrated into part of a kill-chain? Can they observe indicators over the network, on disk, and in memory?
    • Ensure relevant third party vendors are aware and accessible.
    • Probe any anomalous network and system behavior and examine it. Reconnaissance phases of the attack are already in play. Opportunities for exploit are being logged and credentials are already being stolen. Solutions such as Trend Micro Deep Discovery can help you examine dubious network activities.
    • Remind your users to be particularly careful and watch out for phishing and spear-phishing emails.
    • Plan or review your incident response procedures with all necessary parties (not only IT groups). Explore how the planned response differs among DDoS, defacement, and disclosure.
    • Have IT Security, Attorneys, and External Communications departments prepare or review public statements in the event your organization is affected. Ask the question of “how your statements and response might differ if it wasn’t a hacktivist group, but a criminal, nation state, insider, or terrorist?”
    • Monitor the many Anonymous sources for any changes in targeting, tools, or motives, lists of accomplishments, or data dumps.

    On June 20:

    • Note that attackers may attack across different time zones, so it can last longer than the 24 hours in your time zone.
    • Continue to monitor the Anonymous’ sources for any changes in targeting, tools, motives, lists of accomplishments, or data dumps.
    • Exercise a high level of awareness of your IT and IT Security systems and their logs; continue to apply questioning curiosity to anything interesting.
    • If you think your organization is affected, assume that you are affected by DDoS, defacement, and disclosure – and not just one of them.

    After June 20:

    • Continue to monitor Anonymous’ sources for any lists of accomplishments or data dumps.
    • If you’ve made it into Anonymous’ news, you’ll be remediating and designing against future occurrence.
    • If you didn’t make it in Anonymous’ news, review for any sign of breach, compromise, or excessive probing.
    • Remain vigilant, especially if you’re in the target list. The attacks may not be over.

    Similar to how DDoS, defacement, and disclosure tactics can distract and mask each other, so can threat actors. A hacktivist group’s activity can mask or distract criminal, nation state, insider, or even terrorist activity.

    Announced operations like these with their relative open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

    For more information on how targeted attacks work and how organizations can better protect themselves from such threats, you may refer to some of our previous entries here.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice