New Sykipot developments
March 21, 2013
During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:
Sykipot are a highly skilled group of individuals who have exploited a wide range of zeroday vulnerabilities in the last few years including:
|CVE-2010-3654||2010-10-28||Adobe Flash Player|
In this blog post we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems. We have found evidences that show they have exploited at least the following vulnerabilities during the last few months:
|CVE-2012-4969||09/16/2012||Microsoft Internet Explorer|
|CVE-2013-0640||02/12/2012||Adobe Acrobat Reader|
Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.
In the past most of the campaigns which we found related to the Sykipot actors were based on SpearPhishing mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.
Some examples of the campaigns they have launched are detailed below.
gsasmartpay.org - 2012-06-20
The last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:
As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.
“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”
“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”
If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:
During the exploitation it will load the following files as well:
We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.
searching-job.net is another domain registered by the Sykipot actors (registered by email@example.com on 06-20-2012) that was also serving the same exploit at that time:
Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:
- dfasonline.com registered by firstname.lastname@example.org on 06-19-2012
Probably related to Defense Finance and Accounting Service - DFAS - http://www.dfas.mil/
- aafbonus.com registered by email@example.com on 06-19-2012
Probably related to American Advertising Federation - http://www.aaf.org/
- nceba.org registered by firstname.lastname@example.org on 07-24-2012
Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/
- pdi2012.org registered by email@example.com on 08-18-2011
Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers
- hudsoninst.com registered by firstname.lastname@example.org on 11-26-2012
Probably related to the Hudson Institute - http://www.hudson.org/
Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.
CVE-2012-4969 - Internet Explorer
In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).
- resume4jobs.net registered by email@example.com on 03-08-2012
http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C
- paypal1.dns1.us - Dynamic DNS provider
- pollingvoter.org registered by firstname.lastname@example.org on 06-11-2012
http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C
- skyruss.net registered by email@example.com on 04-17-2012
CVE-2012-1723 - Java 7
In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.
Some examples are:
- slashdoc.org registered by firstname.lastname@example.org on 05-21-2012
The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):
In this case the host www[.]photosmagnum[.]com was used as the C&C server.
- nceba.org registered by email@example.com on 07-24-2012
Using www[.]betterslife[.]com as the C&C server.
- milstars.org registered by firstname.lastname@example.org on 06-20-2012
CVE-2013-0640 - PDF Exploit targeting Japanese victims
We found the Sykipot actors using the latest Adobe Acrobat exploit (CVE-2013-0640) a few weeks ago.
The version of the exploit is the same that we found in our latest blog post:
Once the PDF is opened the following lure file is displayed to the victim:
Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare
Once the infection takes place the following files are created on the system:
The file setm.ini contains the configuration of Sykipot in this case:
url=bassball[.]peocity[.]com (C&C server)
The following actions take place in the system:
cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)
Several functions are called within the Sykipot’s DLL:
cmd /c [sykipot_payload_file].exe -startup
Then the malicious payload will be injected into Internet Explorer.
The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:
As we showed in the past most of the Sykipot samples used the key “19990817” for encryption.In this sample we have found a new key “20120709” that is also a date.
Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:
Unique malicious domains:
We are releasing Snort rules to detect queries to the malicious domains in your network:
Thanks to EmergingThreats for the help. You will find the rules in its ruleset update today as well.
Based in our research, below is the list of unique e-mail addreses used to registered malicious domains:
Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:
- Sykipot is back - Alienvault Labs
- The Sykipot Attacks - Symantec
- The Sykipot Campaign - TrendMicro
- Insight into Sykipot Operations - Symantec
- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared