Sykipot Now Targeting US Civil Aviation Sector Information

Sykipot is a malware family used as a backdoor that has been known since 2007, but continues to be active to this day. Recently, we have identified a new behavior from this old threat: it is now being used to gather intelligence about the civil aviation sector in the United States.

Background

The Sykipot malware family has been in use since 2007, with associated command-and-control (C&C) servers registered as early as 2006. It serves as a backdoor that an attacker can use to execute commands on the affected system. The malware also uploads and downloads files and can initiate timed SSL communication to C&C servers. These servers tend to use Netbox, a Windows server that allows deployment of ASP applications as standalone executables.

Sykipot’s level of sophistication over time hasn’t necessarily advanced, but the consistent exploitation of zero-day attacks and the specific targeting indicates a certain level of expertise and funding to these operators.

Targeted Industries

Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this.

Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector.  The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission.

Attack Techniques

Like most targeted attacks, Sykipot uses malicious attachments to spread. These contained exploits targeting various applications like Adobe Reader and Microsoft Office. However, since July 2012, this particular tactic has been on the wane. Attackers have favored drive-by exploits that target the operating system itself or applications like web browsers and Java in drive-by attacks.

Once Sykipot is running on the victim’s machine, it establishes an SSL connection to a C&C server where more malicious files are then downloaded and installed on the victim’s machine. The capabilities of the Sykipot framework allow for arbitrary code and commands to be run.

Notable Changes

The change –  slowly moving away from file-based exploits and into DLL or process injection –  is a notable observation on the evolution of the campaign.  The closed source intelligence of the most recent attacks shows consistency in methodology, tools and exploited target entity, but examining the targeted data suggests the campaign expanded beyond the typical US DIB and into more civilian sectors and infrastructure.

Sykipot has been known to use unique identifiers in its code that corresponded to C&C paths like in the following example:

  • https://{C&C domain}/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{IP address}-{unique identifier}

In later attacks, the above pattern was not seen. Instead, we saw the following string, which was not part of the URL and was further encrypted:

  • {hardcoded string}-{computer name}-{IP address}

In addition, looking at the code shows the identifiers are changed as well. Previously, the format [wxyz][yymmdd] was sued. Now, the code contains the following snippet at address 0×10002050:

sykipot-identifier-screenshot

In this particular case, Y1 serves as the hardcoded string which we believe acts as an identifier.

Other samples gathered from VirusTotal this year use the following strings:

  • Q1
  • X1
  • X5
  • X6

Solutions and Conclusion

The Sykipot variants related to these recent campaigns are detected as BKDR_SYKIPOT.AG.

A major vector in the spread of Sykipot is the use of various software exploits through frequent use of zero-days.Thus, keeping systems updated and securely configured is the first technical defense against this campaign. However, organizations and users may have specific version requirements which may preclude upgrades. In such cases, virtual patching (or virtual shielding) may be of use. Trend Micro offers two solutions that enable administrators to deploy such solution: Deep Security and the Intrusion Defense Firewall.

C&C connections of the Sykipot malware family is also detected by Deep Discovery, with the following rules:

  • Rule 551 – DNS APT DOMAINS
  • Rule 1045 – HTTP SYKIPOT REQUEST

Since this attack typically arrives via email messages, it is important for organizations to implement an good social engineering program. This can help organizations, particularly employees, managers etc., to be wary of email messages that may carry malware related to campaigns like Sykipot.

This campaign exercises just enough sophistication to be effective. It systematically targets significant US-based entities using tried and true methods for data exfiltration. Given its targets, successes, and perceived mission, it should be considered a serious threat not only to the US-based DIB. Other US sectors should also be aware and able to identify it.

With additional analysis from Jay Yaneza and Jayronn Christian.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Sykipot Now Targeting US Civil Aviation Sector Information

Read more: Sykipot Now Targeting US Civil Aviation Sector Information

Story added 4. September 2013, content source with full text you can find at link above.