Malware Technology Research
In this analysis report, it attests Alientvault’s claim that users who are using ActivIdentity ActivClient software are affected. See link: http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs
This malware does not only attempts to capture keystrokes and clipboard data, it also serves as a backdoor to remote control the victim’s system fully, and access protected resources that require authentication using smartcard.
Having said that, it is also important to note that the malware requires the smartcard to be in the reader when access is required. In another word, this victim is used as a smartcard proxy, where the stolen login pin is used to access the smartcard.
By analyzing this malware’s behavior, it is highly likely an espionage malware, which is particularly keen in email messages and reports craft while Outlook, Firefox and/or Internet Explorer is running through key logging. Additionally, this malware takes extra precautionary measures to maintain stealth in the victim’s system, and it hopes to remain undetected for a long period.
Upon execution of Sykipot for the first time, it copies itself to its working directory as “dmm.exe” and restarts itself from there. The injected DLL will perform key logging and clipboard copying in one thread; and opens a backdoor to the Command and Control (CnC) server in another. The range of functionalities that it offers ranges from remote execution of command prompt and custom backdoor commands to smartcard access for secured resource access. As a mean to persist and survive reboot in a stealthy manner, it relocates itself to start up folder as “taskmost.exe” only upon closure of the Windows session; and relocates itself to working directory again when started. This inevitably impedes live system forensic when start-up entry points are inspected.
In subsequent sections, the analysis of each Sykipot components (EXE and DLL) is detailed.
As described in the flow above, Sykipot EXE component is responsible for both malicious code injection and persistency. Upon execution for the first time (either login or infected), it copy itself to the working directory (parent directory of temp folder, Local Settings) as “dmm.exe”; and the timestamp of this executable file is stomped to be the same as a windows system file, “c:\windows\system32\svchost.exe”, possibly to imped disk forensic investigation.
All processes are enumerated and it attempts to inject malicious DLL (dropped from the resource section) into outlook.exe, iexplore.exe and firefox.exe. This DLL is disguised as Microsoft related executable, which again makes it harder to identify it in a memory or disk forensic.
Sykipot deletes “taskmost.exe” from start up folder to remove traces any persistency when run. However, a new thread is started to listen for the following windows messages:
Only when windows exit, Sykipot relocates itself to the start up folder again as “taskmost.exe” to ensure persistency. Since the executable only exists in start up folder when required, live analysis would probably miss this executable when start up entries are inspected. In another words, this persistency entry is removed when the malware is alive; and this entry is only updated upon exit.
The working directory of Sykipot is “Local Settings” which contains all related executable and configuration files.
The encrypted commands are downloaded into MSF5F1.dat and they are classified into five different groups – cmd, door, getfile, putfile and time.
Sykipot Door-type Commands (Generic)
Sykipot Door-type Commands (Smartcard related)
Below are the codes used inside cl (Certificate Listing). It lists all the card Issuer and subject that are associated with private keys. Note: This does not imply extraction of private key. Rightfully a properly configured/protected smart card should not allow private key extraction.
Below are the codes used inside cm (Card Monitor). It attempts to load “acpkcs201.dll” (an ActivClient DLL) from 3 possible paths:
Using this DLL, it accesses the following procedures:
The encrypted commands are downloaded into MSF5F1.dat and they are classified into five different groups – cmd, door, getfile, putfile and time. And the contents for each group is placed in each 2D array , where the first index directs to the entry and the second index directs to the specific character in the chosen entry. By this way, it is able to a batch of commands in a structured manner.
It selects the proxy value to set depending on the application that it injects into. Suppose if it is loaded as a DLL inside firefox, it will use the proxy setting found inside “%APPDATA% \Mozilla\Firefox\Profiles\<profile folder>\prefs.js”. The proxy server address/domain and port is extracted by identifying the following headers respectively – “network.proxy.http” and “network.proxy.http_port”
In other cases, proxy information is extracted from the following registry entry: “HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxyserver”.
It is also interesting to see that it attempts to clear the file it attempts to delete before deleting the file from the system if “del” command is triggered.
From the way that this malware attempts to hide its data through encryption and deletion of temp files when not in used, it reveals that its intention is to remain as undetected as long as possible. It also seems like this intention outweighs the need for this malware to be reliable. In the event of improper shut down, this malware may lose its persistency.
The intention to maintain network stealth is also noted. As Outlook, Internet explorer and Firefox are targeted as victim processes, it would appear benign if any of these three processes attempting to connecting to any web server. One additional benefit to inject into these processes is that, all newly composed emails and reports/work are key logged while using any of these programs.
I would like to thank Jaime Blasco (Alienvault Lab Manager) for sharing this sample. And also, with reference to his article, it has helped a lot in analysing this sample.
For more details about its encryption algorithm, please refer to the following link for a paper published.