Attacks/Breaches
12/21/2011
03:40 PM
50%
50%

More Sykipot Malware Clues Point To China

Recent version of the malware, which spread using an Adobe Reader zero-day vulnerability, appeared to be seeking information relating to U.S. military drones.

The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, "there have been a lot of different campaigns with different command-and-control servers," said researchers at AlienVault Labs in a blog post. "The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations."

The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched.

But in targeted attacks, attackers often include information--in the form of attachments--that they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing email that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle.

[ Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats. See 12 Groups Carry Out Most APT Attacks. ]

The AlienVault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.

Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it's seen "unconfirmed traces" of Sykipot dating as far back as 2006. But the Sykipot family of malware only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.

Interestingly, the AlienVault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers "used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server."

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world's Netbox servers are located in China. Furthermore, the tool's documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages.

The AlienVault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by "China Unicom Beijing province network." Of those, six appeared to point directly to a known Sykipot C&C server.

"Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant," said the researchers. "Also the information [for] the domain owners (names, addresses, etc.) are from China." But they said the ownership information wasn't reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether they're state-backed hackers or freelance operators--perhaps working for businesses--remains unknown.

In other targeted attack news, the group behind the Nitro malware, which was designed to conduct industrial espionage against chemical companies, appears to still be at work. Notably, a Symantec blog post last week said that the most recent attacks feature an emailed zip archive, which is password-protected, and claims to be security software from Symantec.

In reality, however, the program is a Poison Ivy variant. That specific type of malware has been used in numerous attacks, including the Operation Aurora exploit against Google in late 2009, as well as in phishing emails that led to the successful exploit of RSA's SecurID system.

It's time to get going on data center automation. The cloud requires automation, and it'll free resources for other priorities. Download InformationWeek's Data Center Automation special supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-5367
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.