Saturday, February 4, 2012

Analysis Of Sykipot Smartcard Proxy Variant

Via EipLoader Blog -

Executive Summary

In this analysis report, it attests Alientvault’s claim that users who are using ActivIdentity ActivClient software are affected. See link: http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs

This malware does not only attempts to capture keystrokes and clipboard data, it also serves as a backdoor to remote control the victim’s system fully, and access protected resources that require authentication using smartcard.

Having said that, it is also important to note that the malware requires the smartcard to be in the reader when access is required. In another word, this victim is used as a smartcard proxy, where the stolen login pin is used to access the smartcard.

By analyzing this malware’s behavior, it is highly likely an espionage malware, which is particularly keen in email messages and reports craft while Outlook, Firefox and/or Internet Explorer is running through key logging. Additionally, this malware takes extra precautionary measures to maintain stealth in the victim’s system, and it hopes to remain undetected for a long period.

No comments:

Post a Comment