According to AlienVault’s Lab manager Jaime Blasco a new version of the Sykipot trojan attempts to compromise DoD smart cards used with ActivIdentity’s ActivClient. These smart cards are standard authentication devices for “identifying active duty military staff, selected reserve personnel, civilian employees, and eligible contractor staff,” comments Blaise.
Earlier versions of the trojan, traces of which were found as long ago as 2006, had been used to open a backdoor into infected PCs. This new version, which may have been in use since March 2011 (a date embedded in the malware’s code), uses a keylogger to steal the smart card PIN number in a smart card proxy attack. “When a card is inserted into the reader”, says Blasco, the malware acts as the authenticated user and can access sensitive information. The malware is then controlled by the attackers and then told what – and when - to steal the appropriate data”, he said.
Earlier versions of Sykipot were found to use command and control servers based in China. AlienVault has discovered Chinese characters in a small snippet of code in the new version, further suggesting a Chinese origin. Like the earlier version, the new Sykipot uses a spear phishing email campaign to target specific users. It attempts to persuade the user to click a link from where the infection is effected.
An analysis of Sykipot campaigns over the years was published by TrendLabs as recently as December 17 2011. It highlights six separate campaigns before this one, and notes that in “March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.” Zero-day exploits are rare and valuable, further suggesting a well-organized and funded team behind the malware.