Previously discovered malware known as Sykipot has turned a shade deadlier as researchers have discovered that it can be used to hijack smartcards.
The malware was previously considered controversial due to its possibly being linked to an attack on US unmanned aerial vehicles, and its apparent target of US federal agencies, but researchers at Alienvault Labs have now discovered a new variant that can hijack smartcards, and then act as an authenticated user.
In particular, the malware targets ActivClient smartcards developed by ActivIdentity and used by the US Department of Defence (DoD). It is not clear whether the vulnerability is restricted just to ActivClient or could apply to ActivIdentity's other smartcard products. If the latter is true, several Australian government agencies could be at risk. In particular, the Australian Department of Education, Employment and Workplace Relations uses one of ActivIdentity's card-management systems, and Queensland's driver-licence smartcards are also provided through the company.
The malware first compromises systems through a spear-phishing attack that uses a zero-day exploit in Adobe's software. It then installs a keylogger to steal the PINs for smartcards.
The keylogger stores information, such as the name of the window currently being used and the keystrokes entered into it, as well as the contents of the current user's clipboard. Once the card PINs are stolen and the compromised cards are inserted into a reader, the malware can authenticate as a valid user and steal sensitive information.
The malware is also able to determine what security certificates are present on the user's computer, and then use that information to log in to other secured resources.
"The attackers are implementing different techniques to bypass two-factor authentication with smartcard/PIN to access protected resources on the victim's network. By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader," Alienvault wrote in its analysis.
"While trojans that have targeted smartcards are not new, there is obvious significance to the targeting of a particular smartcard system in wide deployment by the US DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration."
Researchers at Alienvault believe that the attacks originate from China.