Defence Secretary gives kudos to Royal Navy's prof... » The Defence Secretary has praised the Royal Navy’s professionalism after witnessing the advanced sea... Cubic awarded $4.1 million Training Order for U.S.... » SAN DIEGO, Calif.: Cubic Corporation has announced that it was awarded a new order valued at $4.1 mi... Clavister receives initial order to secure 40 re... » Clavister receives initial order to secure 40 regional offices for Brazilian federal authority, foll... KEY ROLE OF TRAINING AND DEVELOPMENT IN THE SECURI... » Education is a process of giving and receiving systematic instruction and skills especially at a sch... Varonis DatAnywhere enables ATMI employees to shar... » LONDON (UK): Varonis Systems, Inc. has announced it has enabled the employees of ATMI to use cloud-s... The Devil is in the Data - Infographic » Irish image and data auditing company PixAlert have released an infographic highlighting the signifi... Wargaming Brings its Naval MMO to gamescom 2014 » Wargaming has announced its presence at gamescom 2014, the world's largest trade fair for interactiv... Barracuda Backup achieves VMware Ready status » Basingstoke: Barracuda Networks, Inc. has announced that Barracuda Backup has achieved VMware Ready™... Valuing the Police Report » Her Majesty's Inspectorate of Constabulary (HMIC) has rated the Metropolitan Police Service (MPS) as... Fonix Mobile selects Alert Logic to extend its s... » London: London-based SMS messaging and mobile payment billing company Fonix Mobile has chosen Alert ...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

For some time, AlienVault has been analysing a group of hackers who have focused their efforts on targeting the Defence and Government industry. Jaime Blasco, Labs Director at AlienVault has recently found some new developments with these hackers, known as Sykipot.

Below is the analysis on the new developments which will unveil:

1. New vulnerabilities that this group have used using during the last 8 months

2. The new infrastructure they have used.

3. Several examples of the campaigns they have launched

4. New versions of the Sykipot backdoor they have used to access the compromised systems.

New Sykipot developments analysis

Summary

During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:

- Another Sykipot sample likely targeting US federal agencies

- Are the Sykipot’s authors obsessed with next generation US drones?

- Sykipot variant hijacks DOD and Windows smart cards

- Sykipot is back

Sykipot are a highly skilled group of individuals who have exploited a wide range of zero day vulnerabilities in the last few years including:

CVE Date Product

CVE-2007-0671 2007-02-02 Microsoft Excel

CVE-2009-3957 2010-12-01 Adobe Reader

CVE-2010-0806 2010-05-04 Internet Explorer

CVE-2010-2883 2010-09-08 Adobe Reader

CVE-2010-3654 2010-10-28 Adobe Flash Player

CVE-2011-2462 2011-12-06 Adobe Reader

In this analysis we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems.

We have found evidence that shows they have exploited at least the following vulnerabilities during the last few months:

CVE Date Product

CVE-2012-1889 06/13/2012 MSXML/Internet Explorer

CVE-2012-1723 06/12/2012 Java 7

CVE-2012-4969 09/16/2012 Microsoft Internet Explorer

CVE-2013-0640 02/12/2012 Adobe Acrobat Reader

Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.

Campaigns

In the past most of the campaigns which we found, related to the Sykipot actors, were based on SpearPhishing emails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.

Some examples of the campaigns they have launched are detailed below:

gsasmartpay.org – 2012-06-20

Last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:

http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Captura-de-pantalla-2013-03-20-a-las-11.08.351.png

As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.

“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”

“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”

If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:

http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Captura-de-pantalla-2013-03-20-a-las-11.45.00.png

During the exploitation it will load the following files as well:

www[.]gsasmartpay[.]org/cardholders/login/movie[.]swf?apple=AA969692D8CDCD959595CC859183918F83909692839BCC8D9085CD83868D808784CC919584E2E2E2E2

www[.]gsasmartpay[.]org/cardholders/login/deployJava[.]js

www[.]gsasmartpay[.]org/cardholders/login/faq[.]htm

We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.

searching-job.net is another domain registered by the Sykipot actors (registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 06-20-2012) that was also serving the same exploit at that time:

www[.]searching-job[.]net/list/verification/deployJava[.]js

www[.]searching-job[.]net/list/verification/faq[.]htm

www[.]searching-job[.]net/list/verification/index[.]htm

www[.]searching-job[.]net/list/verification/movie[.]swf?apple=AA969692D8CDCD959595CC91878390818A8B8C85CF888D80CC8C8796CD848B8E878E8B9196CC868396E2E2E2E2

www[.]searching-job[.]net/account_list/verification/index[.]htm

Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:

dfasonline.com registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 06-19-2012

Probably related to Defense Finance and Accounting Service – DFAS - http://www.dfas.mil/

aafbonus.com registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 06-19-2012

Probably related to American Advertising Federation – http://www.aaf.org/

nceba.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 07-24-2012

Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/

pdi2012.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 08-18-2011

Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers

hudsoninst.com registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 11-26-2012

Probably related to the Hudson Institute – http://www.hudson.org/

Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.

CVE-2012-4969 – Internet Explorer

In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).

resume4jobs.net registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 03-08-2012

URL’s involved:

http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C

paypal1.dns1.us – Dynamic DNS provider

URL’s involved:

pollingvoter.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 06-11-2012

URL’s involved:

http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C

skyruss.net registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 04-17-2012

URL’s involved:

CVE-2012-1723 – Java 7

In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.

Some examples are:

slashdoc.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 05-21-2012

URL’s involved:

The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):

http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Captura-de-pantalla-2013-03-20-a-las-12.50.14.png

In this case the host www[.]photosmagnum[.]com was used as the C&C server.

nceba.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 07-24-2012

URL’s involved:

http://www[.]nceba[.]org/newsroom/article/news201207240251[.]html

Using www[.]betterslife[.]com as the C&C server.

milstars.org registered by This e-mail address is being protected from spambots. You need JavaScript enabled to view it on 06-20-2012

URL’s involved:

CVE-2013-0640 – PDF Exploit targeting Japanese victims

We found the Sykipot actors using the latest Adobe Acrobat exploit (CVE-2013-0640) a few weeks ago.

The version of the exploit is the same that we found in our latest blog post: http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/

The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

Once the PDF is opened the following lure file is displayed to the victim:

http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Captura-de-pantalla-2013-03-20-a-las-13.28.26.png

Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare.

Once the infection takes place the following files are created on the system:

\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfilede.dat 5ED3A94354F27BC7AF0FEF04F89D8EB8

\DOCUME~1\ADMINI~1\LOCALS~1\mpr.dll 84EFAFF343CF7A34D2A0D847A1E5FD50

\DOCUME~1\ADMINI~1\LOCALS~1\setm.ini 00051F392350128BA4DD4CA10F44DDEF

\DOCUME~1\ADMINI~1\LOCALS~1\temp.dll BEA84BE4BFE236652F6A4E382B21A96F

The file setm.ini contains the configuration of Sykipot in this case

[srv_info]

sleeptime=3600000

url=bassball[.]peocity[.]com (C&C server)

scexe=rsvp.exe

scdll=mpr.dll

runexe=run.exe

mark=0304adbh

The following actions take place in the system:

cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)

Several functions are called within the Sykipot’s DLL:

[sykipot_payload_file].exe -startupEx

[sykipot_payload_file].exe -startup1

cmd /c [sykipot_payload_file].exe -startup

Then the malicious payload will be injected into Internet Explorer.

The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:

/kys_allow_put.asp?type=

/kys_allow_get.asp?name=

As we showed in the past most of the Sykipot samples used the key “19990817″ for encryption. In this sample we have found a new key “20120709″ that is also a date.

Infrastructure

Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:

Unique malicious domains:

peocity.com

rusview.net

skyruss.net

commanal.net

natareport.com

photogellrey.com

photogalaxyzone.com

insdet.com

creditrept.com

pollingvoter.org

dfasonline.com

hudsoninst.com

wsurveymaster.com

nhrasurvey.org

pdi2012.org

nceba.org

linkedin-blog.com

aafbonus.com

milstars.org

vatdex.com

insightpublicaffairs.org

applesea.net

appledmg.net

appleintouch.net

seyuieyahooapis.com

appledns.net

emailserverctr.com

dailynewsjustin.com

hi-tecsolutions.org

slashdoc.org

photosmagnum.com

resume4jobs.net

searching-job.net

servagency.com

gsasmartpay.org

tech-att.com

We are releasing Snort rules to detect queries to the malicious domains in your network:

http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Captura-de-pantalla-2013-03-21-a-las-16.51.20.png

Based in our research, below is the list of unique e-mail addresses used to registered malicious domains:

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:

- Sykipot is back - Alienvault Labs

- The Sykipot Attacks - Symantec

- The Sykipot Campaign – TrendMicro

- Hurricane Sandy serves as lure to deliver Sykipot - Verizon

- Insight into Sykipot Operations - Symantec

- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared