Malware Family/Aliases: Sykipot
Malware Type: Trojan/Backdoor:Win32
Discovery Date: 2007
Sykipot is an APT malware family that is around since 2007 and is used as a backdoor to fully control the victim’s machine. Once the machine is infected, the backdoor communicates with the C&C server to execute several kinds of commands on the affected system. Sykipot APT malware family has been used by cybercriminals on targeted attacks in order to steal sensitive information from key industries.
Notable features of this malware family are the ability to execute both command prompt and backdoor commands sent by the C&C server on the affected system, so that it can be able to retrieve system and network information, reboot the system, manage processes (list, execute, kill and etc.), manage files (list, read, delete, copy and etc.), uninstall itself from the system and so on. This malware family is also able to send and receive files to and from the C&C server and to configure a delay timer for the next communication time with the C&C server.
This malware sample is an executable file that pretends to be a Merry Christmas image file. When the executable file is executed, the image is extracted and displayed to the user:
Right after that, the malware creates an msrt.exe file in temp folder:
The malware then installs a fake Help and Support Center service that pretends to be original’s Windows Help and Support service:
This is done by calling Windows APIs to install the new service and by adding and setting the following Registry entries:
HKLM\SYSTEM\ControlSet001\Services\helpsvcc\DisplayName: "Help and Support Center"
HKLM\SYSTEM\ControlSet001\Services\helpsvcc\Description: "Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
HKLM\SYSTEM\CurrentControlSet\Services\helpsvcc\DisplayName: "Help and Support Center"
HKLM\SYSTEM\CurrentControlSet\Services\helpsvcc\Description: "Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
Next, the malware persists itself at
Deletes itself from
And start the newly created Help and Support Center service, which points to %WINDIR%\system32\msrt.exe.
This instance of the malware will extract malicious code and write file %WINDIR%\system32\wship4.dll, which pretends to be an IPv4 Helper DLL from Microsoft Corporation:
The malware creates a hidden instance of Internet Explorer browser and makes it use %WINDIR%\system32\wship4.dll to serve as backdoor to communicate with the C&C server and execute commands on the affected machine:
Finally, after the backdoor is running, the malware stops newly created Help and Support Center service.
This malware sample is an executable file that pretends to be a girl image file. When the executable file is executed, the image is extracted and displayed to the user:
Right after that, the malware creates a siop.exe file in temp folder:
Exactly as the previous sample, the malware extracts malicious code and write file %Temp%\rsm.dll, which also pretends to be an IPv4 Helper DLL from Microsoft Corporation. The malware then creates a hidden instance of Internet Explorer browser and makes it use %Temp%\rsm.dll to serve as backdoor to communicate with the C&C server and execute commands on the affected machine.
Malware Protective Mechanisms
To protect the dropped files, the malware clones all date timestamp file properties from original’s system file svchost.exe to dropped files msrt.exe and wship4.dll, making them look authentic.
The malware also creates and runs a hidden instance of Internet Explorer browser with current user’s credentials by using current user’s token, which is retrieved by looping through the list of processes and retrieving Windows Explorer current user’s token.
Exactly as the previous sample, the malware also creates and runs a hidden instance of Internet Explorer browser with current user’s credentials by using current user’s token, which is retrieved by looping through the list of processes and retrieving Windows Explorer current user’s token.
Malware Persistency Techniques
As mentioned before, the malware installs it as a Windows service and is configured to automatically start during Windows startup (start type equals to “2”):
To make itself persistent, the malware configures itself to be run during Windows startup. It does this by adding the following registry key.
Some of the malware samples try to connect to the following domains:
Once the backdoor is active, the malware communicates with the C&C server from time to time and can execute commands on the affected machine.
The malware pings the C&C by using a GET request that follows the pattern:
Some versions of the malware have the ability to read a delay timer information from the configuration file retrieved from the C&C server. This will be used to configure the time interval of the communication between the malware and the C&C server. The purpose of this feature is to make it hard to be detected by analysis tools.
Security Analytics Solution
The following query can be used to detect Sykipot network activity using RSA Security Analytics:
action = 'get' && filename = 'kys_allow_get.asp' && query begins 'name='
More details can be found here.