Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Sykipot

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

ID: S0018
Aliases: Sykipot
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoverySykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[3]
EnterpriseT1056Input CaptureSykipot contains keylogging functionality to steal passwords.[1]
EnterpriseT1079Multilayer EncryptionSykipot communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body.[2]
EnterpriseT1057Process DiscoverySykipot may gather a list of running processes by running tasklist /v.[3]
EnterpriseT1055Process InjectionSykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[3]
EnterpriseT1060Registry Run Keys / Startup FolderSykipot has been known to establish persistence by adding programs to the Run Registry key.[2]
EnterpriseT1018Remote System DiscoverySykipot may use net view /domain to display hostnames of available systems on a network.[3]
EnterpriseT1016System Network Configuration DiscoverySykipot may use ipconfig /all to gather system network configuration details.[3]
EnterpriseT1049System Network Connections DiscoverySykipot may use netstat -ano to display active network connections.[3]
EnterpriseT1007System Service DiscoverySykipot may use net start to display running services.[3]
EnterpriseT1111Two-Factor Authentication InterceptionSykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.[1]

References