• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   The Sykipot Campaign

The Sykipot Campaign

  • Posted on:December 17, 2011 at 1:21 pm
  • Posted in:Exploits, Targeted Attacks
  • Author:
    Nart Villeneuve (Senior Threat Researcher)
6

Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.

Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.

The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.

A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.

Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.

Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.

 

Date Hash Command and Control
September 2010 32dbd816b0b08878bd332eee299bbec4
0ade988a4302a207926305618b4dad01
68f5a1faff35ad1ecaa1654b288f6cd9
www.mysundayparty.com
March 2010 a4bdddf14cee3cc8f6d4875b956384d2 notes.topix21century.com
September 2009 e42f8e662d39a31b596d86504b9dc287
590a6e6c811e41505bebd4a976b9e7f3
230040293ed381e32faa081b76634fcb
music.defense-association.com
August 2009 126c0353957a506c0a3b41b0bdfb88ce news.marinetimemac.com
December 2008 a1c8276b008b9386b36ef73b163a0c75 www.marinetimemac.com
February 2007 56055a77675058b614a282d9624b67f2
69ed09e31c06c7763a91c408d9ad9c10
271e3fa15a81c5b9e7543460808cfbeb
www.top10member.com

While the malware remained functionally similar over the years, there were also some changes. For example, early versions of the malware communicated with the C&C server in plaintext (HTTP), while the network traffic of later versions is encrypted (HTTPS).

We analyzed the DLL dropped by the 2007 and the 2011 version of the malware and they are similar. In addition to having the same URL format for communication with the C&C server the two DLLs also use the exact same encryption key. The 2008 samples contain some differences as the attackers added then later dropped some commands such as “findpass2000” and “port2000” that only work on Windows 2000.

All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.

The Sykipot campaign remains a high priority threat.

* With analysis from Jonell Baltazar.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.