Share

Related Links

Related Stories

Top 5 Stories

News

New version of Sykipot malware targets DoD smart cards

15 January 2012

More evidence of malware from China attacking the US Department of Defense has been discovered by AlienVault.

According to AlienVault’s Lab manager Jaime Blasco a new version of the Sykipot trojan attempts to compromise DoD smart cards used with ActivIdentity’s ActivClient. These smart cards are standard authentication devices for “identifying active duty military staff, selected reserve personnel, civilian employees, and eligible contractor staff,” comments Blaise.

Earlier versions of the trojan, traces of which were found as long ago as 2006, had been used to open a backdoor into infected PCs. This new version, which may have been in use since March 2011 (a date embedded in the malware’s code), uses a keylogger to steal the smart card PIN number in a smart card proxy attack. “When a card is inserted into the reader”, says Blasco, the malware acts as the authenticated user and can access sensitive information. The malware is then controlled by the attackers and then told what – and when - to steal the appropriate data”, he said.

Earlier versions of Sykipot were found to use command and control servers based in China. AlienVault has discovered Chinese characters in a small snippet of code in the new version, further suggesting a Chinese origin. Like the earlier version, the new Sykipot uses a spear phishing email campaign to target specific users. It attempts to persuade the user to click a link from where the infection is effected.

An analysis of Sykipot campaigns over the years was published by TrendLabs as recently as December 17 2011. It highlights six separate campaigns before this one, and notes that in “March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.” Zero-day exploits are rare and valuable, further suggesting a well-organized and funded team behind the malware.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×