Breaking Down a Malware Operation

Tuesday, January 31, 2012 @ 05:01 PM gHale

The Sykipot malware campaign continues to target various industries, the majority of which belong to the defense industry, Symantec officials said.

Each campaign uses a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain’s folder name on the Web server.

Malware Shifts from Safe to Malicious
Malware Strains Meld by Accident
Video Conferencing: An Easy Hack
Malware with Customer Support

Here are some examples of the campaigns the security provider has seen so far:
• alt20111215
• auto20110413
• auto20110420
• be20111010
• chk20111219
• chksrv20111122
• easy20110720w
• easy20110926n
• good20110627
• help20110908
• help20110926
• info20111025
• info20111028
• info20111031G
• insight20111122
• pretty20111101
• pretty20111122
• pub2011124x
• server20111212
• webmail20111122
• world20111205
These campaign markers allow the attackers to correlate different attacks on different organizations and industries.

The attackers also left additional clues allowing researchers to gain insight into what appears to be a staging server used prior to the delivery of new binaries to targeted users. In addition, Symantec researchers were able to confirm the server was also a command and control (C&C) server for a period of time as well. The server is in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which saw use in Sykipot campaigns.

Some example file names found on the server include:
• 12-holiday-tips-usagov.pdf
• 12-holiday-tips-usagov.pdf
• be20111010.exe
• fedgovtbenefits.pdf
• fy12 military pay chart scanned copy.scr
• fy12-military-pay-chart.pdf
• happy20111025.exe
• info20111025.exe
• inmarsat-financial-info.pdf
• inmarsatpricing.doc
• inmarsatpricing.pdf
• insight20111122.exe
• nui-comisaf coin guidance.pdf
• nwc spouse newsletter.pdf
• oem7f7.exe
• president’s message inside.pdf
• scanned copy.scr
• webmail20111122.exe
• webmail20111205.exe
• world20111205.exe
• world20111205z.exe
The files mostly consisted of customized Sykipot binary PDF files containing an exploit. However, other tools that can be useful after a successful compromise were also there, such as ‘gsecdump’, a tool that can dump password hashes from computers. Researchers also found template files for the Microsoft Office RTF File Stack Buffer Overflow Vulnerability (BID 44652). Many of these files do not appear to be directly on the system, but end up created elsewhere and then copied on to the system. Researchers found files downloaded on to the computer through FTP and others through a removable drive.

Received and saved files on the computer came from a specific contact that uses a popular instant messaging client in Asia. Researchers were unable to trace the contact number to a particular individual.

Researchers gained insight into another computer that appears to belong to the same group. On this particular computer, the group was utilizing a tool that would automatically modify files in order to evade detection. Example file names include:
• \pdf-miansha\2011-12-13-cve-2011-2462-pdfbundletool\2011-12-13-cve-2011-2462-pdfbundletool\fenxi\int3-1.pdf
• \pdf-miansha\2011-12-13-cve-2011-2462-pdfbundletool\2011-12-13-cve-2011-2462-pdfbundletoolms-77393-req.pdf
• miansha\00000eb0_0000005e.bin
• miansha\00000f6c_0000005e.bin
• miansha\00000fca_0000005e.bin
• miansha\000012ba_0000005e.bin
• miansha\00001f36_0000005e.bin
• miansha\000020ae_0000005e.bin
• miansha\000022e2_0000005e.bin
There already appears to be a tool in circulation used to create malicious PDF files. Second, the path name includes ‘miansha’, which loosely translates to ‘veil’, a phrase used by hackers when they speak about making changes to files in order to evade detection. The other Chinese word ‘fenxi’ means ‘analysis’.

With such tools available, researchers are confident they will see continued exploit attempts using CVE-2011-2462.

Finally, the researchers also discovered the following domains associated with the Sykipot attackers:
Some of these domains ended up compromised and used in the campaign, but most of them are there for the sole purpose of being a part of the Sykipot infrastructure. On more than one occasion researchers have seen attackers sending malicious emails from the same server hosting the C&C domains. Network administrators should use this information to monitor for attacks and exfiltration of data.

The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.

Leave a Reply

You must be logged in to post a comment.