News

Sykipot Trojan Variant May Be Used in DOD Access Card PIN Theft

Research by Alienvault Labs has found a variant of the Sykipot Trojan that can be used to compromise the Defense Department's Common Access Cards.

The variant, which Alienvault says appears to have been around since March 2011, arrives via phishing attacks and uses a keylogger to “effectively hijack DOD and Windows smart cards," Alienvault's Jaime Blasco wrote in a blog post.

The variant has turned up in dozens of attack samples over the past year, Blasco writes.

The spear-phishing attacks are designed to get their targets to open an Adobe PDF attachment, which, taking advantage of an Adobe zero-day vulnerability, then can load Sykipot onto their computers, according to Alienvault's research.

Using a keylogger, the Sykipot variant can then steal PINs from cardholders signing in, and subsequently act as the authenticated user to steal information for as long as the card remains in the smart-card reader, Alienvault said. The malware also lists the public-key encryption certificates stored on the system.

“So the modus operandi of the attackers is listing the certificates present on the victim's computer … stealing the PIN using the keylogger module and then [using] this information to log onto remote resources protected with certificates/smart cards," Alienvault said.

“We have tested the malware and, in fact, it is working," Blasco told Dark Reading. “It's likely they got inside protected systems and gained access using this malware."

Sykipot, a back-door access Trojan, has been used in phishing attacks since 2007, often against defense contractors. What's new in this variant is the keylogger, Alienvault said. What's not new is that Sykipot takes advantage of Adobe vulnerabilities, ThreatPost has noted.

In December 2011, Alienvault reported on a Sykipot attack that appeared to target the military's fleets of unmanned aerial vehicles.

The attack, which was discovered after defense contractor Lockheed Martin called attention to it, also exploited a zero-day vulnerability in Adobe Reader. As with other Sykipot attacks, it was traced to a command-and-control server in China, although it masked its tracks through hacked servers in the United States.

Alienvault researchers say they believe one group of attackers is behind both attacks, Dark Reading reported. “We believe it's the same group of attackers," Blasco said. “They have been using the same techniques, even sharing some parts of the code in other attacks."

Common Access Cards have been used in DOD as a two-factor authentication measure for years. As of 2008, the department had issued more than 17 million of them, to military and civilian personnel, as well as to contractors.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.