Sykipot is an APT malware family that is around since 2007 and is used as a backdoor to fully control the victim’s machine. Once the machine is infected, the backdoor communicates with the C2 server to execute several kinds of commands on the affected system. Sykipot APT malware family has been used by cybercriminals on targeted attacks in order to steal sensitive information from key industries. In this blog post, we will discuss how to detect its C2 beaconing activity. More details about Sykipot APT malware can be found here.
Once it infects a machine, Sykipot starts collecting system information like:
The collected information is then sent to the C2 server as an HTTP GET request:
The screenshot below shows the network activity in RSA Security Analytics investigator:
Assuming the appropriate meta keys are enabled, the following query can be used: