Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

AlienVault Exposes New Details of Sykipot Attacks

Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.

The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer. 

Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.

The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer. 

“In the past most of the campaigns which we found related to the Sykipot actors were based on [spear-phishing] mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and sometimes Internet Explorer,” blogged Jaime Blasco, director of AlienVault Labs. “During the last 8-10 months we have seen a change and the number of [spear-phishing] campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.”

The campaigns include one where a malicious site was set up in attempt to phish government employees by masquerading as a webpage about GSA SmartPay charge cards. The page also exploited CVE-2012-1889, a vulnerability affecting Microsoft XML Core Services.

In another wave of attacks, the Sykipot actors registered several domains in September 2012 with the ultimate goal of exploiting a vulnerability in Internet Explorer (CVE-2012-4969). Another campaign in August exploited a Java vulnerability (CVE-2012-1723) to infect vulnerable systems, while a more recent spate of attacks targeted Japanese victims using an Adobe Acrobat exploit (CVE-2013-0640).

“The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one,” Blasco explained.

Once the PDF is opened, a document that appears to be a lure related to the Japanese Ministry of Health, Labour and Welfare is displayed. AlienVault first observed the attacks a few weeks ago.

The company also published information on malicious domains associated with the attacks, as well as a list of unique email addresses registered with those domains.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.