Sykipot

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

ID: S0018
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoverySykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[3]
EnterpriseT1056Input CaptureSykipot contains keylogging functionality to steal passwords.[1]
EnterpriseT1079Multilayer EncryptionSykipot communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body.[2]
EnterpriseT1057Process DiscoverySykipot may gather a list of running processes by running tasklist /v.[3]
EnterpriseT1055Process InjectionSykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[3]
EnterpriseT1060Registry Run Keys / Startup FolderSykipot has been known to establish persistence by adding programs to the Run Registry key.[2]
EnterpriseT1018Remote System DiscoverySykipot may use net view /domain to display hostnames of available systems on a network.[3]
EnterpriseT1016System Network Configuration DiscoverySykipot may use ipconfig /all to gather system network configuration details.[3]
EnterpriseT1049System Network Connections DiscoverySykipot may use netstat -ano to display active network connections.[3]
EnterpriseT1007System Service DiscoverySykipot may use net start to display running services.[3]
EnterpriseT1111Two-Factor Authentication InterceptionSykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.[1]

References