Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.
The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer.
“In the past most of the campaigns which we found related to the Sykipot actors were based on [spear-phishing] mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and sometimes Internet Explorer,” blogged Jaime Blasco, director of AlienVault Labs. “During the last 8-10 months we have seen a change and the number of [spear-phishing] campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.”
The campaigns include one where a malicious site was set up in attempt to phish government employees by masquerading as a webpage about GSA SmartPay charge cards. The page also exploited CVE-2012-1889, a vulnerability affecting Microsoft XML Core Services.
In another wave of attacks, the Sykipot actors registered several domains in September 2012 with the ultimate goal of exploiting a vulnerability in Internet Explorer (CVE-2012-4969). Another campaign in August exploited a Java vulnerability (CVE-2012-1723) to infect vulnerable systems, while a more recent spate of attacks targeted Japanese victims using an Adobe Acrobat exploit (CVE-2013-0640).
“The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one,” Blasco explained.
Once the PDF is opened, a document that appears to be a lure related to the Japanese Ministry of Health, Labour and Welfare is displayed. AlienVault first observed the attacks a few weeks ago.
The company also published information on malicious domains associated with the attacks, as well as a list of unique email addresses registered with those domains.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
