Currently viewing ATT&CK v15.1 which was live between April 23, 2024 and October 30, 2024. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. Sykipot

Sykipot

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

ID: S0018
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 13 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership.[3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Sykipot has been known to establish persistence by adding programs to the Run Registry key.[2]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Sykipot uses SSL for encrypting C2 communications.[2]
Enterprise T1056 .001 Input Capture: Keylogging

Sykipot contains keylogging functionality to steal passwords.[1]
Enterprise T1111 Multi-Factor Authentication Interception

Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.[1]
Enterprise T1057 Process Discovery

Sykipot may gather a list of running processes by running tasklist /v.[3]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[3]
Enterprise T1018 Remote System Discovery

Sykipot may use net view /domain to display hostnames of available systems on a network.[3]
Enterprise T1016 System Network Configuration Discovery

Sykipot may use ipconfig /all to gather system network configuration details.[3]
Enterprise T1049 System Network Connections Discovery

Sykipot may use netstat -ano to display active network connections.[3]
Enterprise T1007 System Service Discovery

Sykipot may use net start to display running services.[3]

References

  1. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  2. Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  1. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.