A report from Alien Vault says that variants of the Sykipot Trojan have been found that can steal DOD smartcard credentials.
The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against defense industrial base (DIB). The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in “dozens of attacks” and contain features that would allow remote attackers to steal smart card credentials and access sensitive information.
According to the analysis, by Jaime Blasco, the new variants are designed for Windows systems using ActivIdentity’s ActivClient, a smart card software authentication product that’s used to support the Department of Defense’s Common Access Card (DoD CAC) smart card deployment. The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.
After stealing the smart card login credentials, the malware also lists the PKI certificates on the local certificate store on the system. A separate module then allows the attackers to issue a command to the infected system that will cause it to pull down a DLL file that mimic the ActivClient software and implement the code to login to a protected application using the certificate and stolen pin.
“By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader,” Alien Vault found.
Trojan horses targeting smart card-protected systems isn’t new, but the latest attacks show that sophisticated hackers -whether financially or politically motivated – are targeting specific smart card deployments used by the DoD and other government agencies, as well as defense contractors.
The existence of trojans like Sykipot, which require the smart card to be inserted and, in theory, the user active on the system during the attack, mean that it may become even more difficult to separate legitimate from illegitimate activity after IT assets have been compromised.
In an address at the FBI’s International Conference on Cyber Security (ICCS), Brad Arkin, the Director of Product Security and Privacy at Adobe said that the targeted attacks that exploited a previously unknown vulnerability in Adobe’s Reader application last month was extremely focused on defense industrial base firms, and affected just a handful of systems.