Attacks/Breaches
12/21/2011
03:40 PM
Connect Directly
RSS
E-Mail
50%
50%

More Sykipot Malware Clues Point To China

Recent version of the malware, which spread using an Adobe Reader zero-day vulnerability, appeared to be seeking information relating to U.S. military drones.

The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, "there have been a lot of different campaigns with different command-and-control servers," said researchers at AlienVault Labs in a blog post. "The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations."

The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched.

But in targeted attacks, attackers often include information--in the form of attachments--that they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing email that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle.

[ Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats. See 12 Groups Carry Out Most APT Attacks. ]

The AlienVault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.

Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it's seen "unconfirmed traces" of Sykipot dating as far back as 2006. But the Sykipot family of malware only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.

Interestingly, the AlienVault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers "used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server."

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world's Netbox servers are located in China. Furthermore, the tool's documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages.

The AlienVault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by "China Unicom Beijing province network." Of those, six appeared to point directly to a known Sykipot C&C server.

"Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant," said the researchers. "Also the information [for] the domain owners (names, addresses, etc.) are from China." But they said the ownership information wasn't reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether they're state-backed hackers or freelance operators--perhaps working for businesses--remains unknown.

In other targeted attack news, the group behind the Nitro malware, which was designed to conduct industrial espionage against chemical companies, appears to still be at work. Notably, a Symantec blog post last week said that the most recent attacks feature an emailed zip archive, which is password-protected, and claims to be security software from Symantec.

In reality, however, the program is a Poison Ivy variant. That specific type of malware has been used in numerous attacks, including the Operation Aurora exploit against Google in late 2009, as well as in phishing emails that led to the successful exploit of RSA's SecurID system.

It's time to get going on data center automation. The cloud requires automation, and it'll free resources for other priorities. Download InformationWeek's Data Center Automation special supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.