1. Home
  2. Software
  3. Sykipot

Sykipot

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

ID: S0018
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 13 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Sykipot uses SSL for encrypting C2 communications.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Sykipot has been known to establish persistence by adding programs to the Run Registry key.[2]
Enterprise T1111 多因素身份验证拦截

Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.[1]
Enterprise T1007 系统服务发现

Sykipot may use net start to display running services.[3]
Enterprise T1049 系统网络连接发现

Sykipot may use netstat -ano to display active network connections.[3]
Enterprise T1016 系统网络配置发现

Sykipot may use ipconfig /all to gather system network configuration details.[3]
Enterprise T1087 .002 账号发现: Domain Account

Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[3]
Enterprise T1056 .001 输入捕获: Keylogging

Sykipot contains keylogging functionality to steal passwords.[1]
Enterprise T1057 进程发现

Sykipot may gather a list of running processes by running tasklist /v.[3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[3]
Enterprise T1018 远程系统发现

Sykipot may use net view /domain to display hostnames of available systems on a network.[3]

References

  1. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  2. Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  1. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.