SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20210616 | Detects win.syscon.)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f848b000000 a1???????? 57 8b3d???????? 68???????? 50 c705????????02000000 }
            // n = 7, score = 200
            //   0f848b000000         | je                  0x91
            //   a1????????           |                     
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   c705????????02000000     |     

        $sequence_1 = { ffd6 33db 53 68???????? ff15???????? 53 53 }
            // n = 7, score = 200
            //   ffd6                 | call                esi
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_2 = { c0e204 0ada 881c0f 47 897df8 }
            // n = 5, score = 200
            //   c0e204               | shl                 dl, 4
            //   0ada                 | or                  bl, dl
            //   881c0f               | mov                 byte ptr [edi + ecx], bl
            //   47                   | inc                 edi
            //   897df8               | mov                 dword ptr [ebp - 8], edi

        $sequence_3 = { ff15???????? 8bf8 85ff 0f84af000000 53 57 8bc6 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f84af000000         | je                  0xb5
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { 68???????? ffd7 6a00 6a00 6a00 }
            // n = 5, score = 200
            //   68????????           |                     
            //   ffd7                 | call                edi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { 0ad1 8b4d08 88140f 47 83c604 897df8 }
            // n = 6, score = 200
            //   0ad1                 | or                  dl, cl
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   88140f               | mov                 byte ptr [edi + ecx], dl
            //   47                   | inc                 edi
            //   83c604               | add                 esi, 4
            //   897df8               | mov                 dword ptr [ebp - 8], edi

        $sequence_6 = { ff15???????? a3???????? 85c0 748a 68???????? ffd7 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   748a                 | je                  0xffffff8c
            //   68????????           |                     
            //   ffd7                 | call                edi

        $sequence_7 = { 488d15d41c0000 ff15???????? eb0d 488d15a91c0000 ff15???????? 80bd3006000020 }
            // n = 6, score = 100
            //   488d15d41c0000       | je                  0xfffff3e1
            //   ff15????????         |                     
            //   eb0d                 | dec                 eax
            //   488d15a91c0000       | lea                 ecx, dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   80bd3006000020       | dec                 esp

        $sequence_8 = { 488d0d47460000 ff15???????? 488d542420 488d0d35460000 }
            // n = 4, score = 100
            //   488d0d47460000       | inc                 esp
            //   ff15????????         |                     
            //   488d542420           | mov                 eax, ebx
            //   488d0d35460000       | dec                 eax

        $sequence_9 = { 488b0d???????? ff15???????? 4883c428 c3 4883ec28 }
            // n = 5, score = 100
            //   488b0d????????       |                     
            //   ff15????????         |                     
            //   4883c428             | dec                 ebp
            //   c3                   | mov                 eax, edi
            //   4883ec28             | xor                 edx, edx

        $sequence_10 = { 488d8da0070000 4d8bc7 33d2 e8???????? }
            // n = 4, score = 100
            //   488d8da0070000       | mov                 eax, esi
            //   4d8bc7               | xor                 edx, edx
            //   33d2                 | dec                 eax
            //   e8????????           |                     

        $sequence_11 = { bb04010000 488d4c2440 33d2 448bc3 e8???????? }
            // n = 5, score = 100
            //   bb04010000           | mov                 ebx, 0x104
            //   488d4c2440           | dec                 eax
            //   33d2                 | lea                 ecx, dword ptr [esp + 0x40]
            //   448bc3               | xor                 edx, edx
            //   e8????????           |                     

        $sequence_12 = { 0f84dbf3ffff 488d4c2420 4c8bc6 33d2 e8???????? 488d0d20470000 }
            // n = 6, score = 100
            //   0f84dbf3ffff         | lea                 ecx, dword ptr [0x4647]
            //   488d4c2420           | dec                 eax
            //   4c8bc6               | lea                 edx, dword ptr [esp + 0x20]
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   488d0d20470000       | lea                 ecx, dword ptr [0x4635]

        $sequence_13 = { e8???????? 8d5f01 85c0 7512 48393d???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8d5f01               | lea                 ecx, dword ptr [0x4720]
            //   85c0                 | dec                 eax
            //   7512                 | lea                 edx, dword ptr [0x1cd4]
            //   48393d????????       |                     

        $sequence_14 = { 33d2 ff15???????? b964000000 ff15???????? 488364243000 }
            // n = 5, score = 100
            //   33d2                 | jmp                 0x16
            //   ff15????????         |                     
            //   b964000000           | dec                 eax
            //   ff15????????         |                     
            //   488364243000         | lea                 edx, dword ptr [0x1ca9]

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules