Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

AlienVault Exposes New Details of Sykipot Attacks

Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.

The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer. 

Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.

The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer. 

“In the past most of the campaigns which we found related to the Sykipot actors were based on [spear-phishing] mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and sometimes Internet Explorer,” blogged Jaime Blasco, director of AlienVault Labs. “During the last 8-10 months we have seen a change and the number of [spear-phishing] campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.”

The campaigns include one where a malicious site was set up in attempt to phish government employees by masquerading as a webpage about GSA SmartPay charge cards. The page also exploited CVE-2012-1889, a vulnerability affecting Microsoft XML Core Services.

In another wave of attacks, the Sykipot actors registered several domains in September 2012 with the ultimate goal of exploiting a vulnerability in Internet Explorer (CVE-2012-4969). Another campaign in August exploited a Java vulnerability (CVE-2012-1723) to infect vulnerable systems, while a more recent spate of attacks targeted Japanese victims using an Adobe Acrobat exploit (CVE-2013-0640).

“The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one,” Blasco explained.

Once the PDF is opened, a document that appears to be a lure related to the Japanese Ministry of Health, Labour and Welfare is displayed. AlienVault first observed the attacks a few weeks ago.

The company also published information on malicious domains associated with the attacks, as well as a list of unique email addresses registered with those domains.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.