Malware Target: Defense Contractors

Friday, December 23, 2011 @ 11:12 AM gHale

The goal of the Sykipot malware used in targeted attacks against defense contractors was to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, “there have been a lot of different campaigns with different command-and-control servers,” said researchers at Alienvault Labs. “The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations.”

Botnet can Direct Traffic
Spam Still High, but Down, Symantec Says
Flex SDK Framework Flaw Fixed
Email Hole Enables Spam Messages

The Sykipot malware used in targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a just patched zero-day Adobe Reader vulnerability.

But in targeted attacks, attackers often include information — in the form of attachments — they think recipients will find interesting. Conversely, this highlights the type of information that attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant tie into a phishing email that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle.

The related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used first registered in March 2011, said Alienvault researchers.

Alienvault researchers found while many of the command-and-control servers involved in Sykipot appear to be in the United States, it appears that attackers “used well-known public exploits to hack into U.S.-based servers and then [installed] … software to proxy the connections between the infected systems and the real C&C server.”

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world’s Netbox servers are located in China. Furthermore, the tool’s documentation is available solely in Mandarin.

Alienvault researchers also cross-referenced which of those Netbox servers were using a digital certificate known to be a part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by “China Unicom Beijing province network.” Of those, six appeared to point directly to a known Sykipot C&C server.

“Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant,” said the researchers. “Also the information [for] the domain owners (names, addresses, etc.) are from China.” But they said the ownership information wasn’t reliable, since it could easily be fake.

Leave a Reply

You must be logged in to post a comment.