Their latest investigations reveal that each campaign is identified by a unique code made up of letters and a date that’s hard-coded into the Sykipot Trojan. These markers allow the cybercriminals to correlate attacks on different industries and organizations.
The clues that were discovered, led experts to determine that the command and control (C&C) server is located in Beijing, China, and it’s run by the country’s largest ISP. On one occasion, the attackers used a server that contained hundreds of malicious files, located in the Zhejiang province.
Most of the files used in attacks are PDF’s that later drop the Trojan, but other tools such as gsecdump were also utilized after a successful compromise.
Some clever detection evasion techniques were also identified. On a computer they investigated, Symantec found some tools that were used to create malicious PDF files, but also ones whose Chinese names indicated that they were specially designed to evade detection.
Furthermore, the researchers found some new domains associated with Sykipot attackers, most of them being purposed to be part of the Trojan's infrastructure.
“The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China,” Symantec’s report reveals.
“They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.”
All this information should be useful for network administrators as they can use it to monitor for attacks.