More evidence of malware from China attacking the US Department of Defense has been discovered by AlienVault.According to AlienVault’s Lab manager Jaime Blasco a new version of the Sykipot trojan attempts to compromise DoD smart cards used with ActivIdentity’s ActivClient. These smart cards are standard authentication devices for “identifying active duty military staff, selected reserve personnel, civilian employees, and eligible contractor staff,” comments Blaise.
Earlier versions of the trojan, traces of which were found as long ago as 2006, had been used to open a backdoor into infected PCs. This new version, which may have been in use since March 2011 (a date embedded in the malware’s code), uses a keylogger to steal the smart card PIN number in a smart card proxy attack. “When a card is inserted into the reader”, says Blasco, the malware acts as the authenticated user and can access sensitive information. The malware is then controlled by the attackers and then told what – and when – to steal the appropriate data”, he said.
Earlier versions of Sykipot were found to use command and control servers based in China. AlienVault has discovered Chinese characters in a small snippet of code in the new version, further suggesting a Chinese origin. Like the earlier version, the new Sykipot uses a spear phishing email campaign to target specific users. It attempts to persuade the user to click a link from where the infection is effected. More