Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.
The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer.
“In the past most of the campaigns which we found related to the Sykipot actors were based on [spear-phishing] mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and sometimes Internet Explorer,” blogged Jaime Blasco, director of AlienVault Labs. “During the last 8-10 months we have seen a change and the number of [spear-phishing] campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.”
The campaigns include one where a malicious site was set up in attempt to phish government employees by masquerading as a webpage about GSA SmartPay charge cards. The page also exploited CVE-2012-1889, a vulnerability affecting Microsoft XML Core Services.
In another wave of attacks, the Sykipot actors registered several domains in September 2012 with the ultimate goal of exploiting a vulnerability in Internet Explorer (CVE-2012-4969). Another campaign in August exploited a Java vulnerability (CVE-2012-1723) to infect vulnerable systems, while a more recent spate of attacks targeted Japanese victims using an Adobe Acrobat exploit (CVE-2013-0640).
“The Javascript code inside the PDF file is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one,” Blasco explained.
Once the PDF is opened, a document that appears to be a lure related to the Japanese Ministry of Health, Labour and Welfare is displayed. AlienVault first observed the attacks a few weeks ago.
The company also published information on malicious domains associated with the attacks, as well as a list of unique email addresses registered with those domains.