Attacks/Breaches
12/21/2011
03:40 PM
Connect Directly
RSS
E-Mail
50%
50%

More Sykipot Malware Clues Point To China

Recent version of the malware, which spread using an Adobe Reader zero-day vulnerability, appeared to be seeking information relating to U.S. military drones.

The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, "there have been a lot of different campaigns with different command-and-control servers," said researchers at AlienVault Labs in a blog post. "The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations."

The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched.

But in targeted attacks, attackers often include information--in the form of attachments--that they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing email that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle.

[ Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats. See 12 Groups Carry Out Most APT Attacks. ]

The AlienVault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.

Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it's seen "unconfirmed traces" of Sykipot dating as far back as 2006. But the Sykipot family of malware only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.

Interestingly, the AlienVault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers "used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server."

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world's Netbox servers are located in China. Furthermore, the tool's documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages.

The AlienVault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by "China Unicom Beijing province network." Of those, six appeared to point directly to a known Sykipot C&C server.

"Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant," said the researchers. "Also the information [for] the domain owners (names, addresses, etc.) are from China." But they said the ownership information wasn't reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether they're state-backed hackers or freelance operators--perhaps working for businesses--remains unknown.

In other targeted attack news, the group behind the Nitro malware, which was designed to conduct industrial espionage against chemical companies, appears to still be at work. Notably, a Symantec blog post last week said that the most recent attacks feature an emailed zip archive, which is password-protected, and claims to be security software from Symantec.

In reality, however, the program is a Poison Ivy variant. That specific type of malware has been used in numerous attacks, including the Operation Aurora exploit against Google in late 2009, as well as in phishing emails that led to the successful exploit of RSA's SecurID system.

It's time to get going on data center automation. The cloud requires automation, and it'll free resources for other priorities. Download InformationWeek's Data Center Automation special supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.