Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:49 PM
Connect Directly

Sykipot Malware Now Steals Smart-Card Credentials

New variant of malware used by advanced persistent threat (APT) actors out of China challenges DoD, other organizations’ two-factor authentication

An infamous family of malware used in cyberespionage attacks out of China can now hijack a user’s smart-card credentials.

Researchers at AlienVault have discovered a new variant of the Sykipot malware family that steals smart-card credentials of Department of Defense (DoD) and other users. Sykipot has been in action since around 2007 for launching targeted attacks via spear-phishing emails to the DoD community. And that community employs PC/SC x509 smart cards for multifactor authentication of its users.

The new Sykipot variant appears to have been in the wild for months: Researcher Jaime Blasco found that it was first compiled in March 2011, and since then it has been spotted in dozens of attack samples. Blasco says he has no information on whether the attackers were successful in pilfering DoD or other smart-card credentials, but his lab has proved that it works, so it’s likely to have been used in some hacks.

“We have tested the malware and, in fact, it is working,” Blasco says. “It’s likely they got inside protected systems and gained access using this malware.”

AlienVault researchers believe one group of attackers is and has been behind the malware. “We believe it’s the same group of attackers. They have been using the same techniques, even sharing some parts of the code in other attacks,” Blasco says. “It’s related to another one we reported a month ago.”

Blasco is referring to a targeted attack campaign with Sykipot that exploited a zero-day Adobe Reader flaw to send malicious PDF files that included information lures about drone spy plans, such as the Boeing joint unmanned combat air system X-45 and the Boeing X-37 orbital vehicle.

Symantec researchers in early December said the PDF zero-day attack was part of a larger, longer-term targeted attack campaign aimed mainly at stealing intellectual property from the U.S. and U.K. industries and government agencies -- including defense contractors, telecommunications firms, computer hardware companies, chemical companies, and energy companies.

The attacks first came to light when Adobe alerted users that its Adobe Reader and Acrobat were under attack via a previously unknown flaw in the software that lets an attacker crash the app and wrest control of the victim's machine.

"The goal of Sykipot attackers is to obtain sensitive documents to high level executives within a variety of target organizations, of which the vast majority have been defense related. Considering the long-running campaign history of the attackers and their previous use of zero-day exploits, future versions of Sykipot that are delivered using another zero day are likely," Symantec warned in a blog post last month.

The Sykipot attackers typically send spear-phishing emails to employees who might have access to sensitive information. In the newest variant, the malware employs a keylogger to steal PINs for the smart cards. Once a user scans his card into the card reader, the malware poses as the authenticated user and hijacks the information.

Blasco says this is the first malware his team has seen that steals smart-card credentials.

[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]

The attackers list the certificates on the victim’s machine (including the smart card’s) and then grab the PIN via the keylogger. They then use those credentials to log into machines that are accessible via the smart cards. In another clue that the attackers are targeting DoD users, the researchers discovered a software module that handles ActivIdentity’s ActivClient -- a smart-card-based authentication client used in the DoD’s Common Access Card (CAC) system.

This gives the attackers carte blanche into any secured systems, while the CAC or other smart card is in the reader. “This is similar to what Mandiant described on the 2011 M-Trends report as a 'Smart Card Proxy.' While trojans that have targeted smartcards are not new, there is obvious significance to the targeting of a particular smartcard system in wide deployment by the US DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration,” AlienVault wrote it a blog post today that provides technical details on the attack.

So how can the DoD and other organizations protect their smart-card users from this attack? “One way is to add another layer of authentication,” such as a one-time password, Blasco says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/13/2012 | 10:03:34 AM
re: Sykipot Malware Now Steals Smart-Card Credentials
Smart cards used widely used all over the world and it is to secured more because the smart transaction is more in shopping , bank accounts etc . this is a useful contend and should be awared of it
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).