Latest news
The group(s) behind the massive and consistent campaigns targeting US defense contractors with the Sykipot Trojan continue their attacks unabated, reports Symantec.Its researchers have recently discovered and managed to take a peek into a staging server for the campaigns, which was also occasionally used as a C&C server for delivering instructions to the malware installed on the compromised computers.
In it they discovered many things that gave them insight into how the campaigns are differentiated and waged.
"Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used," they shared. "These campaign markers allow the attackers to correlate different attacks on different organizations and industries."
The location of the server (Beijing), those of attackers contacting it (Zhejiang province) and Chinese words contained in path and some file names seem to validate the theory that Chinese hackers are behind the attacks.
The researchers found over a hundred of of malicious files sent as attachments to the targets. They were mostly specially crafted PDF files that would drop the Trojan onto the targeted system once they were run.
The researchers point out that these files were created elsewhere and copied onto the system - from removable drives, via FTP or via instant messaging clients - but were unable to trace any of the individuals behind it or computers they used.
Through this server, they managed also to take a peek into another computer that belongs to the attackers, on which they discovered a tool that that modified the sent files so that they would evade detection.
"The Sykipot attackers have a long running history of attacks against multiple industries," say the researchers. "Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future."
For a list of domains associated with the attacks, go here.
Spotlight
17% of the world's PCs are unprotected
Posted on 30 May 2012. | In a study that analyzed data from voluntary scans from an average of 27-28 million computers per month, McAfee researchers found 17% of the world is browsing the internet completely unprotected.
What's new in ISO 22301
Posted on 29 May 2012. | Currently there are many business continuity frameworks and standards around the world, but none of them have really taken the dominant position.
Trojan spyware promoted as Steam keygen
Posted on 29 May 2012. | To users looking for keygens for their Steam games, read on: we found something that will make you think twice and probably leave you steering clear of key generators forever.
New cyber weapon targets systems in the Middle East
Posted on 28 May 2012. | A new sophisticated piece of malware dubbed "Flame" has been discovered in systems belonging to users in many Middle Eastern countries and is though to have been developed by a nation state.
RuFraud scammers caught and fined
Posted on 28 May 2012. | PhonepayPlus managed to cut off a malware attack that took the form of premium SMS fraudulent apps masquerading as popular apps offered on Google Play and other online stores.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
 |
