A new variant in the long-standing Sykipot malware family appears to have a new trick up its sleeve. According to AlienVault, instead of just launching spear-phishing email messages, the new Sykipot variant now appears to be targeting credentials of the PC/SC x509 smart cards used by the U.S. Department of Defense and a wide range of corporations and enterprises, including defense contractors.
The Sykipot malware family has been around since at least 2007, and has been used to launch spear-phishing attacks primarily against targets in the United States, particularly in the defense sector. AlienVault claims the attacks originate with command-and-control servers in China.
The new Sykipot variant uses a spear-phishing attack to try to convince targets to open a PDF attachment. That attachment employs a zero-day vulnerability in Adobe’s Acrobat Reader to install the Sykipot malware on the machine. Once installed, Sykipot runs a keylogger to obtain PIN numbers for use with DOD and Windows smart cards. When the smartcard is inserted into a reader, the malware then impersonates an authorized user and enters the PIN in an effort to obtain access to secured information.
According to AlienVault researcher Jamie Blasco, the new Sykipot variant seems to have been created in March 2011, and has turned up in several attack samples since. AlienVault can’t say the malware has successfully obtained DOD or Windows smart card credentials, but said the attack does work.
Sykipot isn’t the first malware to target smart cards and other two-factor authentication schemes, but it is intriguing that the new variation seems to explicitly target smart card systems widely used by the U.S. Department of Defense and the defense industry. The exploit also only operates when the smart card is physically present in the compromised machine, meaning it may be quite difficult for administrators and network security protocols to distinguish between Sykipot access and legitimate uses by the smart card owner.