Attacks/Breaches
12/21/2011
03:40 PM
50%
50%

More Sykipot Malware Clues Point To China

Recent version of the malware, which spread using an Adobe Reader zero-day vulnerability, appeared to be seeking information relating to U.S. military drones.

The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, "there have been a lot of different campaigns with different command-and-control servers," said researchers at AlienVault Labs in a blog post. "The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations."

The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched.

But in targeted attacks, attackers often include information--in the form of attachments--that they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing email that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle.

[ Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats. See 12 Groups Carry Out Most APT Attacks. ]

The AlienVault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.

Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it's seen "unconfirmed traces" of Sykipot dating as far back as 2006. But the Sykipot family of malware only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.

Interestingly, the AlienVault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers "used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server."

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world's Netbox servers are located in China. Furthermore, the tool's documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages.

The AlienVault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by "China Unicom Beijing province network." Of those, six appeared to point directly to a known Sykipot C&C server.

"Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant," said the researchers. "Also the information [for] the domain owners (names, addresses, etc.) are from China." But they said the ownership information wasn't reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether they're state-backed hackers or freelance operators--perhaps working for businesses--remains unknown.

In other targeted attack news, the group behind the Nitro malware, which was designed to conduct industrial espionage against chemical companies, appears to still be at work. Notably, a Symantec blog post last week said that the most recent attacks feature an emailed zip archive, which is password-protected, and claims to be security software from Symantec.

In reality, however, the program is a Poison Ivy variant. That specific type of malware has been used in numerous attacks, including the Operation Aurora exploit against Google in late 2009, as well as in phishing emails that led to the successful exploit of RSA's SecurID system.

It's time to get going on data center automation. The cloud requires automation, and it'll free resources for other priorities. Download InformationWeek's Data Center Automation special supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.