Norton Santos

Detecting Sykipot using Security Analytics

Discussion created by Norton Santos Employee on Jan 22, 2016

Sykipot is an APT malware family that is around since 2007 and is used as a backdoor to fully control the victim’s machine. Once the machine is infected, the backdoor communicates with the C2 server to execute several kinds of commands on the affected system. Sykipot APT malware family has been used by cybercriminals on targeted attacks in order to steal sensitive information from key industries. In this blog post, we will discuss how to detect its C2 beaconing activity. More details about Sykipot APT malware can be found here.

 

Once it infects a machine, Sykipot starts collecting system information like:

  • Hostname
  • IP Address

 

The collected information is then sent to the C2 server as an HTTP GET request:

 

The screenshot below shows the network activity in RSA Security Analytics investigator:

 

Assuming the appropriate meta keys are enabled, the following query can be used:

action = 'get' && filename = 'kys_allow_get.asp' && query begins 'name='

 

Scan results for Sykipot variants can be viewed here and here.

 

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

 

If threat.desc meta key is enabled then you can use the following app rule: threat.desc = 'apt-sykipot-c2'.

Outcomes