Insight into Sykipot Operations

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used. Here are some examples of the campaigns we have seen so far:

  • alt20111215
  • auto20110413
  • auto20110420
  • be20111010
  • chk20111219
  • chksrv20111122
  • easy20110720w
  • easy20110926n
  • good20110627
  • help20110908
  • help20110926
  • info20111025
  • info20111028
  • info20111031G
  • insight20111122
  • pretty20111101
  • pretty20111122
  • pub2011124x
  • server20111212
  • webmail20111122
  • world20111205

These campaign markers allow the attackers to correlate different attacks on different organizations and industries.

The attackers also left additional clues allowing us to gain insight into what appears to be a staging server that is used prior to the delivery of new binaries to targeted users. In addition, we were able to confirm that the server was also used as a command and control (C&C) server for a period of time as well. The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns.

Some example file names that were found on the server include:

  • 12-holiday-tips-usagov.pdf
  • 12-holiday-tips-usagov.pdf
  • be20111010.exe
  • fedgovtbenefits.pdf
  • fy12 military pay chart scanned copy.scr
  • fy12-military-pay-chart.pdf
  • happy20111025.exe
  • info20111025.exe
  • inmarsat-financial-info.pdf
  • inmarsatpricing.doc
  • inmarsatpricing.pdf
  • insight20111122.exe
  • nui-comisaf coin guidance.pdf
  • nwc spouse newsletter.pdf
  • oem7f7.exe
  • president's message inside.pdf
  • scanned copy.scr
  • webmail20111122.exe
  • webmail20111205.exe
  • world20111205.exe
  • world20111205z.exe

The files mostly consisted of customized Sykipot binary PDF files containing an exploit that would drop Skyipot. However, other tools that can be useful after a successful compromise were also discovered, such as 'gsecdump', a tool that can be used to dump password hashes from computers. We also saw template files for the Microsoft Office RTF File Stack Buffer Overflow Vulnerability (BID 44652). Many of these files do not appear to be generated directly on the system, but are created elsewhere and copied on to the system. We saw files that were downloaded on to the computer through FTP and others through a removable drive.

Files were also received and saved to the computer from a specific contact that uses a popular instant messaging client in Asia. We were unable to definitively trace the contact number to a particular individual.

Interestingly, we gained insight into another computer that appears to belong to the same group.  On this particular computer, the group was utilizing a tool that would automatically modify files in order to evade detection. Example file names include:

  • \pdf-miansha\2011-12-13-cve-2011-2462-pdfbundletool\2011-12-13-cve-2011-2462-pdfbundletool\fenxi\int3-1.pdf
  • \pdf-miansha\2011-12-13-cve-2011-2462-pdfbundletool\2011-12-13-cve-2011-2462-pdfbundletoolms-77393-req.pdf
  • miansha\00000eb0_0000005e.bin
  • miansha\00000f6c_0000005e.bin
  • miansha\00000fca_0000005e.bin
  • miansha\000012ba_0000005e.bin
  • miansha\00001f36_0000005e.bin
  • miansha\000020ae_0000005e.bin
  • miansha\000022e2_0000005e.bin

There are two noteworthy items here. First, there already appears to be a tool in circulation used to create malicious PDF files. Second, the path name includes 'miansha', which loosely translates to 'veil', a phrase used by hackers when they speak about making changes to files in order to evade detection. The other Chinese word 'fenxi' means 'analysis'.

With such tools available, we are certain to see continued exploit attempts using CVE-2011-2462.

Finally, we have also discovered the following domains, in addition to those listed in our previous blog, associated with the Sykipot attackers:

  • altchksrv.hostdefence.net
  • data.wilsoncallcenter.com
  • help.newcarstyle.com
  • info.capestonecounty.com
  • info.facebook-support.org
  • info.wilsoncallcenter.com
  • live.tech-att.com
  • mail.sixnationtalk.com
  • service.1inkedin.net
  • bodyshowworld.com
  • capestonecounty.com
  • welldone123.net
  • yahoo-security-center.vicp.net

Some of these domains were compromised and used in the campaign, but most of them were registered for the sole purpose of being a part of the Sykipot infrastructure. On more than one occasion we have seen attackers sending malicious emails from the same server hosting the aforementioned C&C domains. For that exact reason, network administrators should use this information to monitor for attacks and exfiltration of data.

The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.