New Sykipot variant can steal PINs from DOD smart cards
- By Kevin McCaney
- Jan 13, 2012
A newly discovered variant of the Sykipot Trojan, which has been used for years in attacks originating from servers in China, can be used to compromise the Defense Department’s Common Access Cards, according to research by Alienvault Labs.
The variant, which Alienvault says appears to have been around since March 2011, arrives via phishing attacks and uses a keylogger to “effectively hijack DOD and Windows smart cards,” Alienvault’s Jaime Blasco wrote in a blog post.
The variant has turned up in dozens of attack samples over the past year, Blasco writes.
‘Shady RAT’ report unveils massive cyber espionage campaign
Report: China the source of RSA hack, hundreds of others also hit
The spear-phishing attacks are designed to get their targets to open an Adobe PDF attachment, which, taking advantage of an Adobe zero-day vulnerability, then can load Sykipot onto their computers, according to Alienvault’s research.
Using a keylogger, the Sykipot variant can then steal PINs from cardholders signing in, and subsequently act as the authenticated user to steal information for as long as the card remains in the smart-card reader, Alienvault said. The malware also lists the public-key encryption certificates stored on the system.
“So the modus operandi of the attackers is listing the certificates present on the victimʼs computer … stealing the PIN using the keylogger module and then [using] this information to log onto remote resources protected with certificates/smart cards,” Alienvault said.
“We have tested the malware and, in fact, it is working,” Blasco told Dark Reading. “It’s likely they got inside protected systems and gained access using this malware.”
Sykipot, a back-door access Trojan, has been used in phishing attacks since 2007, often against defense contractors. What’s new in this variant is the keylogger, Alienvault said. What’s not new is that Sykipot takes advantage of Adobe vulnerabilities, ThreatPost has noted.
In December 2011, Alienvault reported on a Sykipot attack that appeared to target the military’s fleets of unmanned aerial vehicles.
The attack, which was discovered after defense contractor Lockheed Martin called attention to it, also exploited a zero-day vulnerability in Adobe Reader. As with other Sykipot attacks, it was traced to a command-and-control server in China, although it masked its tracks through hacked servers in the United States.
Alienvault researchers say they believe one group of attackers is behind both attacks, Dark Reading reported. “We believe it’s the same group of attackers,” Blasco said. “They have been using the same techniques, even sharing some parts of the code in other attacks.”
Common Access Cards have been used in DOD as a two-factor authentication measure for years. As of 2008, the department had issued more than 17 million of them, to military and civilian personnel, as well as to contractors.
Kevin McCaney is a former editor of Defense Systems and GCN.