SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20220411 | Detects win.syscon.)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 68e8030000 8d8c2414040000 6a00 51 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   68e8030000           | push                0x3e8
            //   8d8c2414040000       | lea                 ecx, dword ptr [esp + 0x414]
            //   6a00                 | push                0
            //   51                   | push                ecx

        $sequence_1 = { 0fb64e02 ba???????? 51 2ac2 52 8ad8 ffd7 }
            // n = 7, score = 200
            //   0fb64e02             | movzx               ecx, byte ptr [esi + 2]
            //   ba????????           |                     
            //   51                   | push                ecx
            //   2ac2                 | sub                 al, dl
            //   52                   | push                edx
            //   8ad8                 | mov                 bl, al
            //   ffd7                 | call                edi

        $sequence_2 = { ff15???????? e9???????? 8b8c24e40b0000 5f 5e }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8b8c24e40b0000       | mov                 ecx, dword ptr [esp + 0xbe4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { 68???????? 68???????? ff15???????? 8bf8 83ffff }
            // n = 5, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1

        $sequence_4 = { 50 c705????????02000000 c705????????03000000 8935???????? }
            // n = 4, score = 200
            //   50                   | push                eax
            //   c705????????02000000     |     
            //   c705????????03000000     |     
            //   8935????????         |                     

        $sequence_5 = { 57 ff15???????? 8bd8 8d4301 50 6a40 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   8d4301               | lea                 eax, dword ptr [ebx + 1]
            //   50                   | push                eax
            //   6a40                 | push                0x40

        $sequence_6 = { eb0c 53 68???????? ff15???????? 57 }
            // n = 5, score = 200
            //   eb0c                 | jmp                 0xe
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff15????????         |                     
            //   57                   | push                edi

        $sequence_7 = { 488bd9 4533f6 ff15???????? 488b0d???????? 4c21742420 4c8d8560030000 }
            // n = 6, score = 100
            //   488bd9               | mov                 dword ptr [esp + 0x20], 3
            //   4533f6               | dec                 eax
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4c21742420           | lea                 ecx, dword ptr [0x2ed3]
            //   4c8d8560030000       | inc                 esp

        $sequence_8 = { 488d0dd32e0000 448bc0 e8???????? 488d5590 }
            // n = 4, score = 100
            //   488d0dd32e0000       | xor                 ecx, ecx
            //   448bc0               | inc                 ebp
            //   e8????????           |                     
            //   488d5590             | lea                 eax, dword ptr [ecx + 1]

        $sequence_9 = { 458d4101 ba00000080 488bcd c744242880000000 c744242003000000 }
            // n = 5, score = 100
            //   458d4101             | mov                 eax, eax
            //   ba00000080           | dec                 eax
            //   488bcd               | lea                 ecx, dword ptr [esp + 0x30]
            //   c744242880000000     | xor                 edx, edx
            //   c744242003000000     | inc                 ebp

        $sequence_10 = { 33d2 e8???????? 488d8d30060000 33d2 41b8e8030000 e8???????? }
            // n = 6, score = 100
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   488d8d30060000       | lea                 ecx, dword ptr [esp + 0x20]
            //   33d2                 | dec                 esp
            //   41b8e8030000         | mov                 eax, esi
            //   e8????????           |                     

        $sequence_11 = { 448bc0 e8???????? 488d4c2430 33d2 ff15???????? 4533c9 }
            // n = 6, score = 100
            //   448bc0               | lea                 ecx, dword ptr [0x440a]
            //   e8????????           |                     
            //   488d4c2430           | dec                 eax
            //   33d2                 | lea                 edx, dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   4533c9               | inc                 esp

        $sequence_12 = { 4c8bc6 33d2 e8???????? 488d0d0a440000 ff15???????? 488d542420 }
            // n = 6, score = 100
            //   4c8bc6               | dec                 esp
            //   33d2                 | mov                 eax, esi
            //   e8????????           |                     
            //   488d0d0a440000       | xor                 edx, edx
            //   ff15????????         |                     
            //   488d542420           | dec                 eax

        $sequence_13 = { 0f8410020000 448bc6 498bd4 488bc8 }
            // n = 4, score = 100
            //   0f8410020000         | xor                 edx, edx
            //   448bc6               | dec                 eax
            //   498bd4               | mov                 ebx, ecx
            //   488bc8               | inc                 ebp

        $sequence_14 = { 430fb6543d02 4c8be0 488bcd 442ae5 ff15???????? }
            // n = 5, score = 100
            //   430fb6543d02         | mov                 eax, eax
            //   4c8be0               | dec                 eax
            //   488bcd               | lea                 edx, dword ptr [ebp - 0x70]
            //   442ae5               | je                  0xfffff64a
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules