SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20211008 | Detects win.syscon.)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8bd8 8d4301 50 6a40 ff15???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   8d4301               | lea                 eax, dword ptr [ebx + 1]
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_1 = { 6a5c 53 68???????? ff15???????? 68???????? 68???????? 8818 }
            // n = 7, score = 200
            //   6a5c                 | push                0x5c
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff15????????         |                     
            //   68????????           |                     
            //   68????????           |                     
            //   8818                 | mov                 byte ptr [eax], bl

        $sequence_2 = { 6a20 6a03 6a00 6a01 68???????? 68???????? ff15???????? }
            // n = 7, score = 200
            //   6a20                 | push                0x20
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_3 = { 85f6 0f84d8000000 6a00 8d4dfc 51 }
            // n = 5, score = 200
            //   85f6                 | test                esi, esi
            //   0f84d8000000         | je                  0xde
            //   6a00                 | push                0
            //   8d4dfc               | lea                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx

        $sequence_4 = { 8ac3 884dfd c0e006 0ac1 8a4dfe 02c9 }
            // n = 6, score = 200
            //   8ac3                 | mov                 al, bl
            //   884dfd               | mov                 byte ptr [ebp - 3], cl
            //   c0e006               | shl                 al, 6
            //   0ac1                 | or                  al, cl
            //   8a4dfe               | mov                 cl, byte ptr [ebp - 2]
            //   02c9                 | add                 cl, cl

        $sequence_5 = { 891d???????? 8935???????? 8935???????? c705????????10000000 8935???????? ffd7 e8???????? }
            // n = 7, score = 200
            //   891d????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     
            //   c705????????10000000     |     
            //   8935????????         |                     
            //   ffd7                 | call                edi
            //   e8????????           |                     

        $sequence_6 = { ffd7 8b7df8 ba???????? 2ac2 8a55ff }
            // n = 5, score = 200
            //   ffd7                 | call                edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   ba????????           |                     
            //   2ac2                 | sub                 al, dl
            //   8a55ff               | mov                 dl, byte ptr [ebp - 1]

        $sequence_7 = { 8d4dfc 51 53 56 57 ff15???????? }
            // n = 6, score = 200
            //   8d4dfc               | lea                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { 448bc0 e8???????? 488d542440 488d8d50010000 ff15???????? }
            // n = 5, score = 100
            //   448bc0               | inc                 esp
            //   e8????????           |                     
            //   488d542440           | mov                 eax, eax
            //   488d8d50010000       | dec                 eax
            //   ff15????????         |                     

        $sequence_9 = { e8???????? 488d0d6a510000 ff15???????? 488d542420 488d0d58510000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d0d6a510000       | lea                 edx, dword ptr [esp + 0x40]
            //   ff15????????         |                     
            //   488d542420           | dec                 eax
            //   488d0d58510000       | lea                 ecx, dword ptr [ebp + 0x150]

        $sequence_10 = { 33d2 41b808020000 e8???????? 488d0d48360000 ff15???????? 488d542440 488d0d36360000 }
            // n = 7, score = 100
            //   33d2                 | inc                 eax
            //   41b808020000         | mov                 cl, ch
            //   e8????????           |                     
            //   488d0d48360000       | dec                 eax
            //   ff15????????         |                     
            //   488d542440           | mov                 ecx, dword ptr [ebp + 0x178]
            //   488d0d36360000       | dec                 eax

        $sequence_11 = { 48895c2408 57 4881ec30020000 488bda 488d4c2422 33ff 33d2 }
            // n = 7, score = 100
            //   48895c2408           | dec                 eax
            //   57                   | lea                 edx, dword ptr [esp + 0x40]
            //   4881ec30020000       | dec                 eax
            //   488bda               | lea                 ecx, dword ptr [ebp + 0x38c]
            //   488d4c2422           | dec                 eax
            //   33ff                 | test                eax, eax
            //   33d2                 | xor                 edx, edx

        $sequence_12 = { 85ff 74df bb04010000 488d4c2440 }
            // n = 4, score = 100
            //   85ff                 | lea                 ecx, dword ptr [esp + 0x30]
            //   74df                 | dec                 ebp
            //   bb04010000           | mov                 eax, ebp
            //   488d4c2440           | xor                 edx, edx

        $sequence_13 = { 488d542440 488d8d8c030000 ff15???????? 4885c0 }
            // n = 4, score = 100
            //   488d542440           | inc                 eax
            //   488d8d8c030000       | sub                 ch, al
            //   ff15????????         |                     
            //   4885c0               | shl                 bl, 2

        $sequence_14 = { 488bc8 402ae8 ff15???????? c0e302 408acd }
            // n = 5, score = 100
            //   488bc8               | dec                 eax
            //   402ae8               | lea                 ecx, dword ptr [0x516a]
            //   ff15????????         |                     
            //   c0e302               | dec                 eax
            //   408acd               | lea                 edx, dword ptr [esp + 0x20]

        $sequence_15 = { 488b8d78010000 ff15???????? e9???????? 488d4c2430 4d8bc5 33d2 e8???????? }
            // n = 7, score = 100
            //   488b8d78010000       | dec                 eax
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488d4c2430           | lea                 ecx, dword ptr [0x5158]
            //   4d8bc5               | dec                 eax
            //   33d2                 | mov                 ecx, eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules