A new version of the Sykipot Trojan is being pushed to unsuspecting users in a wave of online attacks, including targeted attacks on attendees of an international aerospace conference, according to researchers at the security firm AlienVault.
The latest edition of the common Trojan Horse program appeared within the last month and is spreading using e-mail messages containing links to malicious Web sites carry out drive-by download attacks against e-mail recipients who click on the link. The attacks use exploits for recently disclosed security holes, such as Microsoft’s Windows XML Core Services vulnerability that was first disclosed in June. Exploits of that hole were linked to state-sponsored attacks, which both Google and Microsoft warned about in June.
The shift to drive by downloads is a change. Previous versions of Sykipot have spread mostly by exploiting file-format exploits in applications like Microsoft Excel and Adobe Reader, according to a post by Alienvault’s Jaime Blasco, AlienVault’s Labs Manager, on Monday. The new Sykipot variant also uses a collection of recently registered Web domains to serve up malicious attacks. Most have been registered during the last month and are linked to the same yahoo.com e-mail address, AlienVault disclosed.
In other respects, however, the malware is the same: exploit kits that serve up the Sykipot Trojan are installed on compromised Web servers, often based in the U.S. Once installed, the Sykipot malware uses SSL (Secure Sockets Layer) to protect its communications with a central command and control (C&C) server from which it downloads a configuration file and uploads data stolen from infected systems.
At least one of the new domains used by Sykipot has been linked to targeted phishing-email attacks on attendees of the IEEE Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders), AlienVault said.
It wouldn’t be the first time Sykipot had been linked to attacks against government and defense industry interests. In January, AlienVault researchers found a Sykipot variant that were programmed to steal credentials from systems using ActivIdentity’s ActivClient, smart card software used by the U.S. Department of Defense’s Common Access Card (CAC) smart card deployment.