News

Sykipot Trojan Variant May Be Used in DOD Access Card PIN Theft

Research by Alienvault Labs has found a variant of the Sykipot Trojan that can be used to compromise the Defense Department's Common Access Cards.

The variant, which Alienvault says appears to have been around since March 2011, arrives via phishing attacks and uses a keylogger to “effectively hijack DOD and Windows smart cards," Alienvault's Jaime Blasco wrote in a blog post.

The variant has turned up in dozens of attack samples over the past year, Blasco writes.

The spear-phishing attacks are designed to get their targets to open an Adobe PDF attachment, which, taking advantage of an Adobe zero-day vulnerability, then can load Sykipot onto their computers, according to Alienvault's research.

Using a keylogger, the Sykipot variant can then steal PINs from cardholders signing in, and subsequently act as the authenticated user to steal information for as long as the card remains in the smart-card reader, Alienvault said. The malware also lists the public-key encryption certificates stored on the system.

“So the modus operandi of the attackers is listing the certificates present on the victim's computer … stealing the PIN using the keylogger module and then [using] this information to log onto remote resources protected with certificates/smart cards," Alienvault said.

“We have tested the malware and, in fact, it is working," Blasco told Dark Reading. “It's likely they got inside protected systems and gained access using this malware."

Sykipot, a back-door access Trojan, has been used in phishing attacks since 2007, often against defense contractors. What's new in this variant is the keylogger, Alienvault said. What's not new is that Sykipot takes advantage of Adobe vulnerabilities, ThreatPost has noted.

In December 2011, Alienvault reported on a Sykipot attack that appeared to target the military's fleets of unmanned aerial vehicles.

The attack, which was discovered after defense contractor Lockheed Martin called attention to it, also exploited a zero-day vulnerability in Adobe Reader. As with other Sykipot attacks, it was traced to a command-and-control server in China, although it masked its tracks through hacked servers in the United States.

Alienvault researchers say they believe one group of attackers is behind both attacks, Dark Reading reported. “We believe it's the same group of attackers," Blasco said. “They have been using the same techniques, even sharing some parts of the code in other attacks."

Common Access Cards have been used in DOD as a two-factor authentication measure for years. As of 2008, the department had issued more than 17 million of them, to military and civilian personnel, as well as to contractors.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.