Syscon (Malware Family)

Syscon

VTCollection

SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References

2020-01-23 ⋅ Palo Alto Networks Unit 42 ⋅ Adrian McCabe, Unit42
The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon

2018-03-02 ⋅ McAfee ⋅ Asheer Malhotra, Jessica Saavedra-Morales, Ryan Sherstobitoff, Thomas Roccia
McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon

2017-10-05 ⋅ Trend Micro ⋅ Jaromír Hořejší
SYSCON Backdoor Uses FTP as a C&C Channel
Syscon

Yara Rules

[TLP:WHITE] win_syscon_auto (20260504 | Detects win.syscon.)

rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 68???????? 8d4c2440 51 }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   68????????           |                     
            //   8d4c2440             | lea                 ecx, [esp + 0x40]
            //   51                   | push                ecx

        $sequence_1 = { ff15???????? 6804010000 68???????? 53 ff15???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   6804010000           | push                0x104
            //   68????????           |                     
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_2 = { 8935???????? c705????????10000000 8935???????? ffd7 8b0d???????? }
            // n = 5, score = 200
            //   8935????????         |                     
            //   c705????????10000000     |     
            //   8935????????         |                     
            //   ffd7                 | call                edi
            //   8b0d????????         |                     

        $sequence_3 = { 68???????? 68???????? 6a15 68???????? 52 ff15???????? a3???????? }
            // n = 7, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   6a15                 | push                0x15
            //   68????????           |                     
            //   52                   | push                edx
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_4 = { 51 8d942414040000 68???????? 52 ff15???????? 83c40c 6a00 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   8d942414040000       | lea                 edx, [esp + 0x414]
            //   68????????           |                     
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   6a00                 | push                0

        $sequence_5 = { ff15???????? 8bf8 83ffff 0f84f9000000 6a00 57 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   0f84f9000000         | je                  0xff
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_6 = { 6a00 8d842414040000 50 ff15???????? 68e8030000 ffd6 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   8d842414040000       | lea                 eax, [esp + 0x414]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68e8030000           | push                0x3e8
            //   ffd6                 | call                esi

        $sequence_7 = { 897df8 8b45f4 03c6 3b450c 0f8c56ffffff }
            // n = 5, score = 200
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   03c6                 | add                 eax, esi
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   0f8c56ffffff         | jl                  0xffffff5c

        $sequence_8 = { 488d0d03490000 ff15???????? 488d542420 488d0df1480000 }
            // n = 4, score = 100
            //   488d0d03490000       | dec                 eax
            //   ff15????????         |                     
            //   488d542420           | lea                 ecx, [0x51b4]
            //   488d0df1480000       | dec                 eax

        $sequence_9 = { ff15???????? 488bcf ff15???????? bf04010000 488d4c2440 448bc7 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bcf               | mov                 eax, esi
            //   ff15????????         |                     
            //   bf04010000           | xor                 edx, edx
            //   488d4c2440           | dec                 esp
            //   448bc7               | mov                 eax, esi

        $sequence_10 = { 488d1566ffffff ff15???????? 8d4f02 bab80b0000 488905???????? e8???????? 8d5f01 }
            // n = 7, score = 100
            //   488d1566ffffff       | lea                 ecx, [esp + 0x40]
            //   ff15????????         |                     
            //   8d4f02               | inc                 esp
            //   bab80b0000           | mov                 eax, edi
            //   488905????????       |                     
            //   e8????????           |                     
            //   8d5f01               | pop                 ebp

        $sequence_11 = { 5d c3 41bd04010000 488d8d80040000 33d2 }
            // n = 5, score = 100
            //   5d                   | xor                 edx, edx
            //   c3                   | dec                 eax
            //   41bd04010000         | lea                 ecx, [0x51c6]
            //   488d8d80040000       | dec                 eax
            //   33d2                 | lea                 edx, [esp + 0x20]

        $sequence_12 = { 488905???????? 4885c0 0f8475f7ffff 488d4c2420 4c8bc6 33d2 e8???????? }
            // n = 7, score = 100
            //   488905????????       |                     
            //   4885c0               | dec                 esp
            //   0f8475f7ffff         | mov                 ecx, ebp
            //   488d4c2420           | dec                 esp
            //   4c8bc6               | mov                 eax, esi
            //   33d2                 | dec                 eax
            //   e8????????           |                     

        $sequence_13 = { 33d2 e8???????? 488d542440 488d8c2450010000 4c8bcd 4c8bc6 ff15???????? }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   488d542440           | dec                 eax
            //   488d8c2450010000     | lea                 edx, [esp + 0x40]
            //   4c8bcd               | dec                 eax
            //   4c8bc6               | lea                 ecx, [esp + 0x150]
            //   ff15????????         |                     

        $sequence_14 = { e8???????? 488d8d60010000 ff15???????? 418bdc 418bcf ff15???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d8d60010000       | mov                 ecx, edi
            //   ff15????????         |                     
            //   418bdc               | mov                 edi, 0x104
            //   418bcf               | dec                 eax
            //   ff15????????         |                     

        $sequence_15 = { 4c8bc6 33d2 e8???????? 488d0dc6510000 ff15???????? 488d542420 488d0db4510000 }
            // n = 7, score = 100
            //   4c8bc6               | test                eax, eax
            //   33d2                 | je                  0xfffff77e
            //   e8????????           |                     
            //   488d0dc6510000       | dec                 eax
            //   ff15????????         |                     
            //   488d542420           | lea                 ecx, [esp + 0x20]
            //   488d0db4510000       | dec                 esp

    condition:
        7 of them and filesize < 120832
}

[TLP:WHITE] win_syscon_w0 (20170809 | No description)

import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}

Download all Yara Rules

Syscon Propose Change

References

Yara Rules

Syscon