In a blog post yesterday, AlienVault’s Jaime Blasco has disclosed the latest zero-day vulnerabilities used by the gang over the last eight months. These included a pair of Internet Explorer exploits, and a Java and PDF exploit. “Several times,” he says, “the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.”
There has, however, been a shift in the attack methodology. Spear-phishing is the usual approach. In the past this has most commonly been via a malicious attachment with a socially-engineered email. “During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.”
He describes four Sykipot campaigns since last summer. The first involved an IE vulnerability that was used in a phishing attempt against US government charge cards. Victims were lured to a malicious site that was disguised to look like the official GSA SmartPay site.
In September 2012 the gang launched a campaign using a different IE vulnerability, while in August another campaign exploited a Java vulnerability. In this instance the gang used a ‘typo-squat’ URL – slashdoc.org – and, “It seems they were using the Metasploit version of the exploit,” comments Blasco. Visitors to slashdoc.org were served the zero-day Java exploit, and if vulnerable, the payload was delivered.
The fourth campaign is the one reported just a few weeks ago targeting Japan – and incidentally using the same exploit version as that reported last week in separate attacks on Uyghur and Tibetan activists. The Japan campaign used spear-phishing with an attached malicious PDF file, and seems to have been directed against the Japanese Ministry of Health, Labour and Welfare.
Blasco finally adds a list of new malicious Sykipot domains and provides Snort rules to help administrators detect and block any queries to those domains.