Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.
Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.
The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.
A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.
Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.
Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.
| Date | Hash | Command and Control |
| September 2010 |
32dbd816b0b08878bd332eee299bbec4 0ade988a4302a207926305618b4dad01 68f5a1faff35ad1ecaa1654b288f6cd9 |
www.mysundayparty.com |
| March 2010 | a4bdddf14cee3cc8f6d4875b956384d2 | notes.topix21century.com |
| September 2009 |
e42f8e662d39a31b596d86504b9dc287 590a6e6c811e41505bebd4a976b9e7f3 230040293ed381e32faa081b76634fcb |
music.defense-association.com |
| August 2009 | 126c0353957a506c0a3b41b0bdfb88ce | news.marinetimemac.com |
| December 2008 | a1c8276b008b9386b36ef73b163a0c75 | www.marinetimemac.com |
| February 2007 |
56055a77675058b614a282d9624b67f2 69ed09e31c06c7763a91c408d9ad9c10 271e3fa15a81c5b9e7543460808cfbeb |
www.top10member.com |
While the malware remained functionally similar over the years, there were also some changes. For example, early versions of the malware communicated with the C&C server in plaintext (HTTP), while the network traffic of later versions is encrypted (HTTPS).
We analyzed the DLL dropped by the 2007 and the 2011 version of the malware and they are similar. In addition to having the same URL format for communication with the C&C server the two DLLs also use the exact same encryption key. The 2008 samples contain some differences as the attackers added then later dropped some commands such as “findpass2000” and “port2000” that only work on Windows 2000.
All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.
The Sykipot campaign remains a high priority threat.
* With analysis from Jonell Baltazar.
