S0018 Sykipot
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. 1 The group using this malware has also been referred to as Sykipot. 2
| Item | Value |
|---|---|
| ID | S0018 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 13 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | Sykipot may use net group “domain admins” /domain to display accounts in the “domain admins” permissions group and net localgroup “administrators” to list local system administrator group membership.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Sykipot has been known to establish persistence by adding programs to the Run Registry key.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Sykipot uses SSL for encrypting C2 communications.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Sykipot contains keylogging functionality to steal passwords.1 |
| enterprise | T1111 | Multi-Factor Authentication Interception | Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.1 |
| enterprise | T1057 | Process Discovery | Sykipot may gather a list of running processes by running tasklist /v.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.3 |
| enterprise | T1018 | Remote System Discovery | Sykipot may use net view /domain to display hostnames of available systems on a network.3 |
| enterprise | T1016 | System Network Configuration Discovery | Sykipot may use ipconfig /all to gather system network configuration details.3 |
| enterprise | T1049 | System Network Connections Discovery | Sykipot may use netstat -ano to display active network connections.3 |
| enterprise | T1007 | System Service Discovery | Sykipot may use net start to display running services.3 |
References
-
Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016. ↩↩↩
-
Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014. ↩↩↩
-
Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016. ↩↩↩↩↩↩↩