Executive Summary

In this analysis report, it attests Alientvault’s claim that users who are using ActivIdentity ActivClient software are affected. See link: http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs

This malware does not only attempts to capture keystrokes and clipboard data, it also serves as a backdoor to remote control the victim’s system fully, and access protected resources that require authentication using smartcard.

Having said that, it is also important to note that the malware requires the smartcard to be in the reader when access is required. In another word, this victim is used as a smartcard proxy, where the stolen login pin is used to access the smartcard.

By analyzing this malware’s behavior, it is highly likely an espionage malware, which is particularly keen in email messages and reports craft while Outlook, Firefox and/or Internet Explorer is running through key logging. Additionally, this malware takes extra precautionary measures to maintain stealth in the victim’s system, and it hopes to remain undetected for a long period.

Analysis Abstract

Upon execution of Sykipot for the first time, it copies itself to its working directory as “dmm.exe” and restarts itself from there. The injected DLL will perform key logging and clipboard copying in one thread; and opens a backdoor to the Command and Control (CnC) server in another. The range of functionalities that it offers ranges from remote execution of command prompt and custom backdoor commands to smartcard access for secured resource access. As a mean to persist and survive reboot in a stealthy manner, it relocates itself to start up folder as “taskmost.exe” only upon closure of the Windows session; and relocates itself to working directory again when started. This inevitably impedes live system forensic when start-up entry points are inspected.

In subsequent sections, the analysis of each Sykipot components (EXE and DLL) is detailed.

Sykipot EXE

MD5: B0F9DC538F08E49C4B0DA93972BC48A3

Path: C:\DOCUME~1\%user%\LOCALS~1\dmm.exe

Size: 69632

As described in the flow above, Sykipot EXE component is responsible for both malicious code injection and persistency. Upon execution for the first time (either login or infected), it copy itself to the working directory (parent directory of temp folder, Local Settings) as “dmm.exe”; and the timestamp of this executable file is stomped to be the same as a windows system file, “c:\windows\system32\svchost.exe”, possibly to imped disk forensic investigation.

All processes are enumerated and it attempts to inject malicious DLL (dropped from the resource section) into outlook.exe, iexplore.exe and firefox.exe. This DLL is disguised as Microsoft related executable, which again makes it harder to identify it in a memory or disk forensic.

Persistency Mechanism

Sykipot deletes “taskmost.exe” from start up folder to remove traces any persistency when run. However, a new thread is started to listen for the following windows messages:

WM_QUIT (0X12)

WM_DESTROY (0X02)

WM_QUERYENDSESSION (0X11)

WM_ENDSESSION (0X16)

Only when windows exit, Sykipot relocates itself to the start up folder again as “taskmost.exe” to ensure persistency. Since the executable only exists in start up folder when required, live analysis would probably miss this executable when start up entries are inspected. In another words, this persistency entry is removed when the malware is alive; and this entry is only updated upon exit.

Sykipot DLL

MD5: C2821DDE5D309962337434AA6062EAA9

Path: C:\DOCUME~1\user\LOCALS~1\MSF5F9.dat

Size: 58368

Malicious File Artefacts

The working directory of Sykipot is “Local Settings” which contains all related executable and configuration files.

Commands Types

The encrypted commands are downloaded into MSF5F1.dat and they are classified into five different groups – cmd, door, getfile, putfile and time.

cmd contains a list of command-prompt commands.

contains a list of command-prompt commands. door contains a list of backdoor commands.

contains a list of backdoor commands. getfile refers to a list of files to be downloaded.

refers to a list of files to be downloaded. putfile refers to a list a files to be uploaded.

refers to a list a files to be uploaded. time refers to the next connection time.

Sykipot Door-type Commands (Generic)



runtime – get victim’s runtime. system – execute a file. ipconfig – show network configuration. move – move file. del – secure delete file. rundll – load a dll. enddll –unload a dll. dir – list directory. run – execute a windowing program. process – list processes. port – list TCP and UDP connections. uninstall – uninstall Sykipot. reboot – reboot system. kill– kill a process. key – get key logger results.

Sykipot Door-type Commands (Smartcard related)

cl – list certificates available. cm – loads active client dll and gets a list of card readers and cards available. krundll– load and run card related DLL which has the following functions. LoginFunc (argument, sReferer, sHeader, sUploadFileName, sCertificate, sPIN, dataout)

(argument, sReferer, sHeader, sUploadFileName, sCertificate, sPIN, dataout) PutFunc (hInternet, argument, sReferer, sHeader, argument, b_putfile_or_putdata, sUploadFileName, sCertificate, sPIN, dataout)

(hInternet, argument, sReferer, sHeader, argument, b_putfile_or_putdata, sUploadFileName, sCertificate, sPIN, dataout) GetFunc (hInternet, argument, sReferer, sHeader, sUploadFileName, sCertificate, sPIN, dataout)

(hInternet, argument, sReferer, sHeader, sUploadFileName, sCertificate, sPIN, dataout) *It is suspected that the unknown argument is the URL to the secured resource. As this dll is not available, it becomes an analysis blind spot. However, its intention can be induced through its function name and parameters. kenddll – unload the card related dll. kshow – reveals the card login status. klogin – invoke LoginFunc. kput – invoke PutFunc. kget – invoke GetFunc. kfile – set the upload file name. kpin – set the pin value. kcert – set the cert value. kheader – set the header value. kreferer – set the referrer value.

Below are the codes used inside cl (Certificate Listing). It lists all the card Issuer and subject that are associated with private keys. Note: This does not imply extraction of private key. Rightfully a properly configured/protected smart card should not allow private key extraction.

Below are the codes used inside cm (Card Monitor). It attempts to load “acpkcs201.dll” (an ActivClient DLL) from 3 possible paths:

System directory, e.g. C:\windows\system32 C:\Program Files\ActivIdentity\ActivClient C:\Program Files(x86)\ActivIdentity\ActivClient

Using this DLL, it accesses the following procedures:

AC_XSI_UtilGetReaderList AC_XSI_UtilGetCardStatus

Interesting Observations

Information Grouping

The encrypted commands are downloaded into MSF5F1.dat and they are classified into five different groups – cmd, door, getfile, putfile and time. And the contents for each group is placed in each 2D array [128][1024], where the first index directs to the entry and the second index directs to the specific character in the chosen entry. By this way, it is able to a batch of commands in a structured manner.

Proxy Selection

It selects the proxy value to set depending on the application that it injects into. Suppose if it is loaded as a DLL inside firefox, it will use the proxy setting found inside “%APPDATA% \Mozilla\Firefox\Profiles\<profile folder>\prefs.js”. The proxy server address/domain and port is extracted by identifying the following headers respectively – “network.proxy.http” and “network.proxy.http_port”

In other cases, proxy information is extracted from the following registry entry: “HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxyserver”.

Secure File Deletion

It is also interesting to see that it attempts to clear the file it attempts to delete before deleting the file from the system if “del” command is triggered.

Conclusion

From the way that this malware attempts to hide its data through encryption and deletion of temp files when not in used, it reveals that its intention is to remain as undetected as long as possible. It also seems like this intention outweighs the need for this malware to be reliable. In the event of improper shut down, this malware may lose its persistency.

The intention to maintain network stealth is also noted. As Outlook, Internet explorer and Firefox are targeted as victim processes, it would appear benign if any of these three processes attempting to connecting to any web server. One additional benefit to inject into these processes is that, all newly composed emails and reports/work are key logged while using any of these programs.

Acknowledgement

I would like to thank Jaime Blasco (Alienvault Lab Manager) for sharing this sample. And also, with reference to his article, it has helped a lot in analysing this sample.

Update

For more details about its encryption algorithm, please refer to the following link for a paper published.

http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant_33919