News

Sykipot Trojan Variant May Be Used in DOD Access Card PIN Theft

Research by Alienvault Labs has found a variant of the Sykipot Trojan that can be used to compromise the Defense Department's Common Access Cards.

The variant, which Alienvault says appears to have been around since March 2011, arrives via phishing attacks and uses a keylogger to “effectively hijack DOD and Windows smart cards," Alienvault's Jaime Blasco wrote in a blog post.

The variant has turned up in dozens of attack samples over the past year, Blasco writes.

The spear-phishing attacks are designed to get their targets to open an Adobe PDF attachment, which, taking advantage of an Adobe zero-day vulnerability, then can load Sykipot onto their computers, according to Alienvault's research.

Using a keylogger, the Sykipot variant can then steal PINs from cardholders signing in, and subsequently act as the authenticated user to steal information for as long as the card remains in the smart-card reader, Alienvault said. The malware also lists the public-key encryption certificates stored on the system.

“So the modus operandi of the attackers is listing the certificates present on the victim's computer … stealing the PIN using the keylogger module and then [using] this information to log onto remote resources protected with certificates/smart cards," Alienvault said.

“We have tested the malware and, in fact, it is working," Blasco told Dark Reading. “It's likely they got inside protected systems and gained access using this malware."

Sykipot, a back-door access Trojan, has been used in phishing attacks since 2007, often against defense contractors. What's new in this variant is the keylogger, Alienvault said. What's not new is that Sykipot takes advantage of Adobe vulnerabilities, ThreatPost has noted.

In December 2011, Alienvault reported on a Sykipot attack that appeared to target the military's fleets of unmanned aerial vehicles.

The attack, which was discovered after defense contractor Lockheed Martin called attention to it, also exploited a zero-day vulnerability in Adobe Reader. As with other Sykipot attacks, it was traced to a command-and-control server in China, although it masked its tracks through hacked servers in the United States.

Alienvault researchers say they believe one group of attackers is behind both attacks, Dark Reading reported. “We believe it's the same group of attackers," Blasco said. “They have been using the same techniques, even sharing some parts of the code in other attacks."

Common Access Cards have been used in DOD as a two-factor authentication measure for years. As of 2008, the department had issued more than 17 million of them, to military and civilian personnel, as well as to contractors.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Black Box

    Microsoft Releases Windows Server 2022 Preview

    Microsoft announced during its Ignite event that Window Server 2022 is currently availability at the preview stage.

  • Azure Networking Enhancements Announced at Ignite

    Azure networking improvements were announced by Microsoft as part of its Ignite Conference.

  • How To Reclaim Your Privacy from Windows 10, Part 2

    These are the top four privacy settings to check in your Windows device to make sure Microsoft doesn't collect any data you don't want it to.

  • Microsoft Releases Out-of-Band Security Patches for Exchange Server

    Microsoft on Tuesday released out-of-band security patches for Exchange Server to address multiple zero-day flaws that are currently being exploited in active attacks.

comments powered by Disqus