A peek into the Sykipot campaigns
The group(s) behind the massive and consistent campaigns targeting US defense contractors with the Sykipot Trojan continue their attacks unabated, reports Symantec.
Its researchers have recently discovered and managed to take a peek into a staging server for the campaigns, which was also occasionally used as a C&C server for delivering instructions to the malware installed on the compromised computers.
In it they discovered many things that gave them insight into how the campaigns are differentiated and waged.
“Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain’s folder name on the Web server being used,” they shared. “These campaign markers allow the attackers to correlate different attacks on different organizations and industries.”
The location of the server (Beijing), those of attackers contacting it (Zhejiang province) and Chinese words contained in path and some file names seem to validate the theory that Chinese hackers are behind the attacks.
The researchers found over a hundred of of malicious files sent as attachments to the targets. They were mostly specially crafted PDF files that would drop the Trojan onto the targeted system once they were run.
The researchers point out that these files were created elsewhere and copied onto the system – from removable drives, via FTP or via instant messaging clients – but were unable to trace any of the individuals behind it or computers they used.
Through this server, they managed also to take a peek into another computer that belongs to the attackers, on which they discovered a tool that that modified the sent files so that they would evade detection.
“The Sykipot attackers have a long running history of attacks against multiple industries,” say the researchers. “Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.”
For a list of domains associated with the attacks, go here.