Software: Sykipot

From enterprise
Jump to: navigation, search
Sykipot
Software
ID S0018
Aliases Sykipot
Type Malware
Platform Windows

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.1 The group using this malware has also been referred to as Sykipot.2

Techniques Used

  • Multilayer Encryption - Sykipot communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body.2
  • Two-Factor Authentication Interception - Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.1
  • Input Capture - Sykipot contains keylogging functionality to steal passwords.1
  • Process Injection - Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.3
  • Process Discovery - Sykipot may gather a list of running processes by running tasklist /v.3
  • Account Discovery - Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.3