SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ff15???????? 8b1d???????? 68???????? 57 ffd3 8bf0 }
            // n = 7, score = 200
            //   56                   | dec                 eax
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   68????????           |                     
            //   57                   | lea                 ecx, [ebp + 0x150]
            //   ffd3                 | xor                 edx, edx
            //   8bf0                 | inc                 esp

        $sequence_1 = { 6a00 6a01 68???????? 68???????? ff15???????? 8bf8 }
            // n = 6, score = 200
            //   6a00                 | xor                 ecx, ecx
            //   6a01                 | inc                 esp
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | mov                 dword ptr [esp + 0x20], esp

        $sequence_2 = { 56 57 8b3d???????? 68???????? ffd7 6800010000 }
            // n = 6, score = 200
            //   56                   | mov                 edi, eax
            //   57                   | xor                 edx, edx
            //   8b3d????????         |                     
            //   68????????           |                     
            //   ffd7                 | dec                 eax
            //   6800010000           | lea                 ecx, [0x2ee7]

        $sequence_3 = { ff15???????? 85c0 0f846affffff 833d????????00 7415 ff15???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f846affffff         | lea                 ecx, [esp + 0x20]
            //   833d????????00       |                     
            //   7415                 | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 68???????? 52 ff15???????? a3???????? 85c0 748a 68???????? }
            // n = 7, score = 200
            //   68????????           |                     
            //   52                   | dec                 eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | lea                 edx, [ebp + 0x420]
            //   748a                 | dec                 eax
            //   68????????           |                     

        $sequence_5 = { ba???????? 51 2ac2 52 8ad8 ffd7 }
            // n = 6, score = 200
            //   ba????????           |                     
            //   51                   | lea                 edx, [ebp + 0x150]
            //   2ac2                 | dec                 eax
            //   52                   | lea                 ecx, [0x43f8]
            //   8ad8                 | inc                 esp
            //   ffd7                 | mov                 eax, eax

        $sequence_6 = { 2bd7 42 52 57 68???????? ff15???????? }
            // n = 6, score = 200
            //   2bd7                 | lea                 ecx, [0x2ed3]
            //   42                   | inc                 esp
            //   52                   | mov                 eax, eax
            //   57                   | push                0
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_7 = { c744242000000000 c744241c00010000 e8???????? 83c40c 8d442410 }
            // n = 5, score = 200
            //   c744242000000000     | mov                 eax, edi
            //   c744241c00010000     | dec                 eax
            //   e8????????           |                     
            //   83c40c               | lea                 ecx, [0x3bc8]
            //   8d442410             | dec                 eax

        $sequence_8 = { ff15???????? 498bcf ff15???????? 488d8db0050000 33d2 41b808020000 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   498bcf               | dec                 eax
            //   ff15????????         |                     
            //   488d8db0050000       | lea                 ecx, [0x334e]
            //   33d2                 | dec                 eax
            //   41b808020000         | lea                 edx, [ebp - 0x70]
            //   e8????????           |                     

        $sequence_9 = { 4c8bc6 33d2 e8???????? 488d0d6e4e0000 ff15???????? 488d542420 488d0d5c4e0000 }
            // n = 7, score = 100
            //   4c8bc6               | dec                 eax
            //   33d2                 | lea                 ecx, [0x333d]
            //   e8????????           |                     
            //   488d0d6e4e0000       | dec                 ecx
            //   ff15????????         |                     
            //   488d542420           | mov                 ecx, edi
            //   488d0d5c4e0000       | dec                 eax

        $sequence_10 = { e8???????? 4533c9 4533c0 418bd5 33c9 4489642420 ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4533c9               | lea                 ecx, [ebp + 0x5b0]
            //   4533c0               | xor                 edx, edx
            //   418bd5               | inc                 ecx
            //   33c9                 | mov                 eax, 0x208
            //   4489642420           | dec                 esp
            //   ff15????????         |                     

        $sequence_11 = { 488d0d4e330000 ff15???????? 488d5590 488d0d3d330000 }
            // n = 4, score = 100
            //   488d0d4e330000       | dec                 eax
            //   ff15????????         |                     
            //   488d5590             | test                eax, eax
            //   488d0d3d330000       | je                  0xffffff67

        $sequence_12 = { 8d5601 ff15???????? 488985e80f0000 4885c0 }
            // n = 4, score = 100
            //   8d5601               | lea                 edx, [esi + 1]
            //   ff15????????         |                     
            //   488985e80f0000       | dec                 eax
            //   4885c0               | mov                 dword ptr [ebp + 0xfe8], eax

        $sequence_13 = { 488d0df8430000 448bc0 e8???????? 488d4c2420 ff15???????? 488bf8 }
            // n = 6, score = 100
            //   488d0df8430000       | lea                 edx, [esp + 0x20]
            //   448bc0               | dec                 eax
            //   e8????????           |                     
            //   488d4c2420           | lea                 ecx, [0x4e5c]
            //   ff15????????         |                     
            //   488bf8               | inc                 ebp

        $sequence_14 = { ff15???????? 488905???????? 4885c0 0f8461ffffff }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   0f8461ffffff         | test                eax, eax

        $sequence_15 = { 488d8d50010000 33d2 448bc7 e8???????? 488d0dc83b0000 ff15???????? 488d9550010000 }
            // n = 7, score = 100
            //   488d8d50010000       | mov                 eax, esi
            //   33d2                 | xor                 edx, edx
            //   448bc7               | dec                 eax
            //   e8????????           |                     
            //   488d0dc83b0000       | lea                 ecx, [0x4e6e]
            //   ff15????????         |                     
            //   488d9550010000       | dec                 eax

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules