Researchers Find Sykipot Trojan Variant For Hijacking DoD Smart Cards

A report from Alien Vault says that variants of the Sykipot Trojan have been found that can steal DOD smartcard credentials.

A report from Alien Vault says that variants of the Sykipot Trojan have been found that can steal DOD smartcard credentials.

The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against defense industrial base (DIB). The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in “dozens of attacks” and contain features that would allow remote attackers to steal smart card credentials and access sensitive information.

According to the analysis, by Jaime Blasco, the new variants are designed for Windows systems using ActivIdentity’s ActivClient, a smart card software authentication product that’s used to support the Department of Defense’s Common Access Card (DoD CAC) smart card deployment. The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

After stealing the smart card login credentials, the malware also lists the PKI certificates on the local certificate store on the system. A separate module then allows the attackers to issue a command to the infected system that will cause it to pull down a DLL file that mimic the ActivClient software and implement the code to login to a protected application using the certificate and stolen pin.

“By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader,” Alien Vault found.

Trojan horses targeting smart card-protected systems isn’t new, but the latest attacks show that sophisticated hackers -whether financially or politically motivated – are targeting specific smart card deployments used by the DoD and other government agencies, as well as defense contractors.

The existence of trojans like Sykipot, which require the smart card to be inserted and, in theory, the user active on the system during the attack, mean that it may become even more difficult to separate legitimate from illegitimate activity after IT assets have been compromised.

In an address at the FBI’s  International Conference on Cyber Security (ICCS),  Brad Arkin, the Director of Product Security and Privacy at Adobe said that the targeted attacks that exploited a previously unknown vulnerability in Adobe’s Reader application last month was extremely focused on defense industrial base firms, and affected just a handful of systems. 

Suggested articles

Discussion

  • Anonymous on

    #Unrelated

    I believe that I sat next to you at the SCADA mini-session at ICCS.  I never had really browsed ThreatPost prior to that but I really like the site.  You guys are doing a good job staying current.

     

     

  • MAJ Weiss on

    Great. So they're turning off my ability to check my official Army email using IMAP due to the "increased security provided by PKI authentication inherent in CAC", and yet it seems that CAC are not so secure after all...

  • Brian Kowal on

    Clever exploit.  First, don't allow PIN caching.  Second, do Biometic Match-on-Card (MOC).  Or best yet - there exists a Smart Card platform called Java Card Connected that allows for the reduction/elimination of PC client software and can run all the secure code within the chip itself.  Security is never ultimate, but is an effort to create a higher cost to those hacking VS the benefit the hackers gain by breaking in.

  • bubble shooter on

    Great post, I'll bookmark this.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.