Authors of Sykipot Malware Seem Curious About U.S. Drones

Pulkit Chandna

We here at Maximum PC usually don’t cover drones, except for the ones that can be controlled using generic Android- or iOS-based smartphones and tablets. But we are left with little choice but to venture into Aviation Week territory when a story about military drones also features hackers, zero-day vulnerabilities and malware. You get the drift, don’t you? Hit the jump for more.

According to researchers at Alienvault Labs , an ongoing hacking campaign could be targeting “organizations related to technology used in this kind of vehicles like aerospace and military industries.” Apparently, hackers are using zero-day vulnerabilities in popular software like Adobe Reader to deliver the not-so-sophisticated Sykipot malware to systems belonging to defense contractors. While still not a household name like Stuxnet, the Sykipot malware has been around for ages.

A key defense player, Lockheed Martin, recently reported a Reader zero-day to Adobe. Even in that instance, the payload happened to be Sykipot. Alienvault says that such campaigns have been going on for months and it has analyzed most of them. However, one in particular caught the firm’s attention due the media displayed after the infection being about U.S. UCAVs (unmanned combat air vehicle).

“There have been a lot of different campaigns with different Command-And-Control servers,” reads a recent Alienvault Labs blog post. “The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.”

“In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection.”

While reminding everyone of the incorrectness of jumping to conclusions, the researchers said that they had successfully managed to identify no less than six Chinese IP addresses used to proxy or host the command-and-control servers and a tool used to create these Sykipot campaigns. If that was not enough, the said tool was found to give Chinese language errors on occasions.

Those behind these attacks are said to be using well known techniques to hack mainly US-based servers to mask the real C&C servers, with most of the actual C&C servers running a webserver called “Netbox” that “allows developers to compile and deploy ASP web applications into a stand-alone executable file.” Netbox too has a strong Chinese connection as almost 80 percent of the servers with it are found in that country.

Around the web