More Sykipot Malware Clues Point To China

  /     /     /  
Publicated : 22/11/2024   Category : security

More Sykipot Malware Clues Point To China


Recent version of the malware, which spread using an Adobe Reader zero-day vulnerability, appeared to be seeking information relating to U.S. military drones.


The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.
To date, there have been a lot of different campaigns with different command-and-control servers, said researchers at AlienVault Labs in a
blog post
. The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations.
The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which
exploited a zero-day Adobe Reader vulnerability
that was recently patched.
But in targeted attacks, attackers often include information--in the form of attachments--that they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing email that includes information about the
Boeing joint unmanned combat air system X-45
, as well as the
Boeing X-37 orbital vehicle
.
[ Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats. See
12 Groups Carry Out Most APT Attacks
. ]
The AlienVault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.
Again, the
drone-information-seeking
Sykipot variant is but one of many. Symantec said its seen
unconfirmed traces of Sykipot
dating as far back as 2006. But the
Sykipot family of malware
only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.
Interestingly, the AlienVault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server.
Most of those C&C servers use a Web server known as
Netbox
, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the worlds Netbox servers are located in China. Furthermore, the tools documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced
Chinese-language error messages
.
The AlienVault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by China Unicom Beijing province network. Of those, six appeared to point directly to a known Sykipot C&C server.
Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant, said the researchers. Also the information [for] the domain owners (names, addresses, etc.) are from China. But they said the ownership information wasnt reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether theyre
state-backed hackers
or freelance operators--perhaps working for businesses--remains unknown.
In other targeted attack news, the group behind the
Nitro malware
, which was designed to conduct industrial espionage against chemical companies, appears to still be at work. Notably, a
Symantec blog post
last week said that the most recent attacks feature an emailed zip archive, which is password-protected, and claims to be security software from Symantec.
In reality, however, the program is a
Poison Ivy
variant. That specific type of malware has been used in numerous attacks, including the
Operation Aurora
exploit against Google in late 2009, as well as in phishing emails that led to the successful exploit of
RSAs SecurID system
.
Its time to get going on data center automation. The cloud requires automation, and itll free resources for other priorities. Download InformationWeeks
Data Center Automation
special supplement now. (Free registration required.)

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
More Sykipot Malware Clues Point To China