Sykipot variant, exploiting Microsoft vulnerability, targets aerospace industry

A new variant of Sykipot, an information-stealing Trojan that has been used in frequent attacks against defense agencies and contractors, has turned up in new attacks targeting the aerospace industry and others.

The attacks have been spreading via spear-phishing e-mails containing a link to a malicious site, according to a blog post by Jaime Blasco, manger of Alienvault Labs.

What’s different in this round of Sykipot attacks, Blasco said, is that instead of using file attachments in Excel and Adobe Reader and Flash to deliver malicious code as Sykipot has in the past, attackers are delivering drive-by downloads exploiting Flash Player and the vulnerability recently found in Microsoft XML Core Services.


Related coverage:

New Sykipot variant can steal PINs from DOD smart cards

State-sponsaored attacks targeting Microsoft zero-day?


The XML Core Services vulnerability, for which Microsoft has issued a workaround but not an automated patch, has been tied to state-sponsored attacks that Google first warned its users about in June.

Among the apparent targets in the new round of attacks are potential attendees of the IEEE Aerospace Conference, scheduled for March 2013 in Big Sky, Montana. The Skyipot domain aeroconf13.org was among those being used to deliver malicious code, the Aleinvault post said. Most of the domains being used were registered within the past month.

Although the drive-by delivery of malware is new, the rest of the attackers’ method is pretty much the same as in past Sykipot attacks, Alienvault said. They compromise servers in the United States for command and control, either delivering malware to unsuspecting visitors or redirecting traffic to another remote server.

The malware uses Secure Sockets Layer encryption to protect its communications with the command-and-control server, which it also uses to upload stolen information, Blasco wrote.

There are indications, though no proof, that the attacks started in China, he told IDG News Service.

Sykipot, which has been used in phishing campaigns since about 2007, has a long history of attacks on defense organizations and contractors, with the attacks often being traced to servers in China.

In January, Blasco reported that a variant had been found in a keylogger attack attempting to steal PINs for Defense Department Common Access Cards. That attacks, discovered by defense contractor Lockheed Martin, was traced to a command-and-control server in China that was trying to cover its tracks via hacked servers in the United States.

In December 2011, another Sykipot attack was detected targeting military unmanned aerial vehicles.

The newly discovered attack’s exploit of the XML Core Services vulnerability could indicate that it, too, is part of a state-sponsored attack.

Google reported the vulnerability to Microsoft on May 30 and the companies began working together on it. Google in early June launched a service that would warn users if they might be a target of a state-sponsored attack.

And after Microsoft disclosed the vulnerability, which affects all supported versions of Windows and Office 2003 and 2007, security company Sophos said it was being exploited in attacks against an aeronautical parts supplier and a medical company in Europe.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Fri, Jul 6, 2012 SoutheastUS

More indications of a global cyberwar. Depending on your viewpoint, it is here now, or is heating up. We just haven't seen much, if any, physical results of these cyberattacks (unless you count Iran's centrifuge damage from Stuxnet).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above