SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c0ea04 0ad1 8b4d08 88140f 47 83c604 }
            // n = 6, score = 200
            //   c0ea04               | cmp                 eax, 2
            //   0ad1                 | je                  0x2b
            //   8b4d08               | push                0x3e8
            //   88140f               | call                esi
            //   47                   | push                0
            //   83c604               | push                0x20

        $sequence_1 = { 83f802 7429 68e8030000 ffd6 6a00 6a20 6a03 }
            // n = 7, score = 200
            //   83f802               | dec                 eax
            //   7429                 | lea                 ecx, [0x50fe]
            //   68e8030000           | cmp                 byte ptr [ebp + 0x630], 0x20
            //   ffd6                 | inc                 ecx
            //   6a00                 | mov                 ecx, esi
            //   6a20                 | jne                 0x13
            //   6a03                 | dec                 eax

        $sequence_2 = { 81ecdc0b0000 a1???????? 33c4 898424d80b0000 53 56 }
            // n = 6, score = 200
            //   81ecdc0b0000         | mov                 ebx, eax
            //   a1????????           |                     
            //   33c4                 | dec                 eax
            //   898424d80b0000       | cmp                 eax, -1
            //   53                   | je                  0xfffffe82
            //   56                   | je                  0xfffff691

        $sequence_3 = { 8935???????? c705????????10000000 8935???????? ffd7 }
            // n = 4, score = 200
            //   8935????????         |                     
            //   c705????????10000000     |     
            //   8935????????         |                     
            //   ffd7                 | mov                 ebx, eax

        $sequence_4 = { 68???????? c745fc00000000 ffd6 6a00 }
            // n = 4, score = 200
            //   68????????           |                     
            //   c745fc00000000       | mov                 eax, ebx
            //   ffd6                 | dec                 eax
            //   6a00                 | lea                 edx, [ebp + 0x420]

        $sequence_5 = { 68???????? 83c602 56 ffd3 8bd8 2bc6 }
            // n = 6, score = 200
            //   68????????           |                     
            //   83c602               | dec                 eax
            //   56                   | lea                 ecx, [esp + 0x20]
            //   ffd3                 | dec                 esp
            //   8bd8                 | mov                 eax, esi
            //   2bc6                 | xor                 edx, edx

        $sequence_6 = { 56 57 8b3d???????? 68???????? ffd7 6800010000 }
            // n = 6, score = 200
            //   56                   | lea                 eax, [ebp + 0x630]
            //   57                   | dec                 eax
            //   8b3d????????         |                     
            //   68????????           |                     
            //   ffd7                 | add                 eax, esi
            //   6800010000           | dec                 eax

        $sequence_7 = { 51 ff15???????? a1???????? 5e 3bc3 5b }
            // n = 6, score = 200
            //   51                   | dec                 eax
            //   ff15????????         |                     
            //   a1????????           |                     
            //   5e                   | lea                 ecx, [0x46d8]
            //   3bc3                 | dec                 eax
            //   5b                   | lea                 ecx, [eax + ebx*2 + 2]

        $sequence_8 = { ff15???????? 488905???????? 4885c0 74cd 488b0d???????? 4c89642438 488d05e0370000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   74cd                 | test                eax, eax
            //   488b0d????????       |                     
            //   4c89642438           | je                  0xffffffcf
            //   488d05e0370000       | dec                 esp

        $sequence_9 = { 4881ec60020000 33db 488bf2 4533c9 48895c2430 }
            // n = 5, score = 100
            //   4881ec60020000       | mov                 eax, eax
            //   33db                 | dec                 eax
            //   488bf2               | lea                 edx, [esp + 0x20]
            //   4533c9               | dec                 eax
            //   48895c2430           | mov                 ecx, edi

        $sequence_10 = { 488d542420 488d0dc0500000 448bc0 e8???????? 488d542420 488bcf }
            // n = 6, score = 100
            //   488d542420           | mov                 dword ptr [esp + 0x38], esp
            //   488d0dc0500000       | dec                 eax
            //   448bc0               | lea                 eax, [0x37e0]
            //   e8????????           |                     
            //   488d542420           | dec                 eax
            //   488bcf               | lea                 edx, [esp + 0x20]

        $sequence_11 = { ff15???????? 488bd8 4883f8ff 0f847cfeffff }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x62], eax
            //   4883f8ff             | mov                 dword ptr [esp + 0x6a], eax
            //   0f847cfeffff         | mov                 word ptr [esp + 0x6e], ax

        $sequence_12 = { ff15???????? 80bd3006000020 418bce 7511 488d8530060000 4803c6 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   80bd3006000020       | xor                 ecx, ecx
            //   418bce               | dec                 eax
            //   7511                 | mov                 dword ptr [esp + 0x30], ebx
            //   488d8530060000       | mov                 esi, 1
            //   4803c6               | dec                 eax

        $sequence_13 = { be01000000 4889442462 8944246a 668944246e 664489742460 ff15???????? bb08020000 }
            // n = 7, score = 100
            //   be01000000           | xor                 edx, edx
            //   4889442462           | dec                 eax
            //   8944246a             | lea                 ecx, [0x50d2]
            //   668944246e           | dec                 eax
            //   664489742460         | lea                 edx, [esp + 0x20]
            //   ff15????????         |                     
            //   bb08020000           | dec                 eax

        $sequence_14 = { 0f8481faffff 488d4c2420 4c8bc6 33d2 e8???????? 488d0dfe500000 ff15???????? }
            // n = 7, score = 100
            //   0f8481faffff         | sub                 esp, 0x260
            //   488d4c2420           | xor                 ebx, ebx
            //   4c8bc6               | dec                 eax
            //   33d2                 | mov                 esi, edx
            //   e8????????           |                     
            //   488d0dfe500000       | inc                 ebp
            //   ff15????????         |                     

        $sequence_15 = { 33d2 e8???????? 488d0dd2500000 ff15???????? 488d542420 }
            // n = 5, score = 100
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   488d0dd2500000       | lea                 ecx, [0x50c0]
            //   ff15????????         |                     
            //   488d542420           | inc                 esp

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash1 = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash2 = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash3 = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash4 = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules