New Sykipot Variant Targets Defense Sector Smart Card Credentials

Researchers uncovered a new variant of the Sykipot Trojan that targeted smart cards used by a number of high-security companies and public agencies, including the United States Department of Defense.

The new variant of the Sykipot malware family is capable of stealing PIN codes used with smart cards to gain access to restricted systems, Jamie Blasco, a security researcher at Alienvault, wrote on the Alienvault Labs blog Jan. 12.

The variant was first compiled in March 2011 and has since been spotted in dozens of samples, according to Blasco. The researchers were able to test that the malware had the capability to steal credentials, but had no proof attackers had actually succeeded in doing so, nor any way of estimating how many credentials might have been lifted, Blasco said.

Sykipot has been implicated in previous spear phishing attacks against defense industries. The latest Sykipot variant was compiled with “the purpose of obtaining information from the defense sector” and targeted Windows systems using ActivIdentity’s ActivClient smart card authentication software, according to Blasco. ActivIdentity did not respond to eWEEK’s request for comment.

The Department of Defense included ActivClient as part of its Common Access Card smart card deployment. Users swipe smart cards through a special reader attached to computers to access sensitive applications or restricted resources. Smart cards usually use digital certificates and PIN codes to authenticate the user before granting access.

“While Trojans that have targeted smart cards are not new, there is obvious significance to the targeting of a particular smart card system in wide deployment by the U.S. DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration,” Blasco said.

The attack begins with a spear-phishing email message with a corrupted PDF document attached. When opened, the file exploits a recently patched Adobe vulnerability to install the Sykipot Trojan code onto the victim’s computer. When installed, the malware uses a keylogger to steal the card’s PIN, according to Blasco. Along with smart card log-in credentials, the malware variant can also list the public key infrastructure certificates on the computer’s local certificate store.

The variant is capable of using the PIN and digital certificates to “silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader,” Blasco wrote.

The Sykipot attack should “not be surprising,” Mark Diodati, a research vice president at Gartner, wrote on the Gartner blog. “Our clients have seen similar attacks in the wild for at least three years,” Diodati said, noting that he has been discussing this attack vector since 2006.

Even though smart card authentication is “widely held” as the gold standard for commercial user authentication, organizations should remember that no authentication method is bulletproof, according to Diodati. Organizations need to implement additional layers, including anti-malware software, user activity analysis and network forensics, he said.

Adobe patched the remote code execution flaw in Adobe Reader X and lower that was being exploited by this version of Sykipot as part of its quarterly update on Jan. 10. An earlier emergency patch fixed the same flaw in Adobe Reader 9 for Windows.

Alienvault researchers believe the team behind this variant is the same group that was behind the Sykipot attack uncovered by Symantec researchers in December that targeted defense contractors, telecommunications firms, computer hardware companies, chemical companies and energy companies.

“We believe it’s the same group of attackers. They have been using the same techniques, even sharing some parts of the code in other attacks,” Blasco said.