Sykipot Malware Now Steals Smart-Card Credentials

An infamous family of malware used in cyberespionage attacks out of China can now hijack a user’s smart-card credentials.

Researchers at AlienVault have discovered a new variant of the Sykipot malware family that steals smart-card credentials of Department of Defense (DoD) and other users. Sykipot has been in action since around 2007 for launching targeted attacks via spear-phishing emails to the DoD community. And that community employs PC/SC x509 smart cards for multifactor authentication of its users.

The new Sykipot variant appears to have been in the wild for months: Researcher Jaime Blasco found that it was first compiled in March 2011, and since then it has been spotted in dozens of attack samples. Blasco says he has no information on whether the attackers were successful in pilfering DoD or other smart-card credentials, but his lab has proved that it works, so it’s likely to have been used in some hacks.

“We have tested the malware and, in fact, it is working,” Blasco says. “It’s likely they got inside protected systems and gained access using this malware.”

AlienVault researchers believe one group of attackers is and has been behind the malware. “We believe it’s the same group of attackers. They have been using the same techniques, even sharing some parts of the code in other attacks,” Blasco says. “It’s related to another one we reported a month ago.”

Blasco is referring to a targeted attack campaign with Sykipot that exploited a zero-day Adobe Reader flaw to send malicious PDF files that included information lures about drone spy plans, such as the Boeing joint unmanned combat air system X-45 and the Boeing X-37 orbital vehicle.

Symantec researchers in early December said the PDF zero-day attack was part of a larger, longer-term targeted attack campaign aimed mainly at stealing intellectual property from the U.S. and U.K. industries and government agencies -- including defense contractors, telecommunications firms, computer hardware companies, chemical companies, and energy companies.

The attacks first came to light when Adobe alerted users that its Adobe Reader and Acrobat were under attack via a previously unknown flaw in the software that lets an attacker crash the app and wrest control of the victim's machine.

"The goal of Sykipot attackers is to obtain sensitive documents to high level executives within a variety of target organizations, of which the vast majority have been defense related. Considering the long-running campaign history of the attackers and their previous use of zero-day exploits, future versions of Sykipot that are delivered using another zero day are likely," Symantec warned in a blog post last month.

The Sykipot attackers typically send spear-phishing emails to employees who might have access to sensitive information. In the newest variant, the malware employs a keylogger to steal PINs for the smart cards. Once a user scans his card into the card reader, the malware poses as the authenticated user and hijacks the information.

Blasco says this is the first malware his team has seen that steals smart-card credentials.

[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]

The attackers list the certificates on the victim’s machine (including the smart card’s) and then grab the PIN via the keylogger. They then use those credentials to log into machines that are accessible via the smart cards. In another clue that the attackers are targeting DoD users, the researchers discovered a software module that handles ActivIdentity’s ActivClient -- a smart-card-based authentication client used in the DoD’s Common Access Card (CAC) system.

This gives the attackers carte blanche into any secured systems, while the CAC or other smart card is in the reader. “This is similar to what Mandiant described on the 2011 M-Trends report as a 'Smart Card Proxy.' While trojans that have targeted smartcards are not new, there is obvious significance to the targeting of a particular smartcard system in wide deployment by the US DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration,” AlienVault wrote it a blog post today that provides technical details on the attack.

So how can the DoD and other organizations protect their smart-card users from this attack? “One way is to add another layer of authentication,” such as a one-time password, Blasco says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.