SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon


SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20230125 | Detects win.syscon.)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 56 57 68???????? ff15???????? e8???????? 68???????? }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_1 = { a3???????? 890d???????? 890d???????? 8935???????? c705????????b80b0000 c705????????10000000 8935???????? }
            // n = 7, score = 200
            //   a3????????           |                     
            //   890d????????         |                     
            //   890d????????         |                     
            //   8935????????         |                     
            //   c705????????b80b0000     |     
            //   c705????????10000000     |     
            //   8935????????         |                     

        $sequence_2 = { ff15???????? e9???????? 8b8c24e40b0000 5f 5e 5b }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8b8c24e40b0000       | mov                 ecx, dword ptr [esp + 0xbe4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_3 = { c745fc00000000 ffd6 6a00 6a20 6a03 }
            // n = 5, score = 200
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ffd6                 | call                esi
            //   6a00                 | push                0
            //   6a20                 | push                0x20
            //   6a03                 | push                3

        $sequence_4 = { 53 68???????? ffd6 eb0c 53 68???????? }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   eb0c                 | jmp                 0xe
            //   53                   | push                ebx
            //   68????????           |                     

        $sequence_5 = { 57 ff15???????? 53 6a40 ff15???????? 8bf8 85ff }
            // n = 7, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_6 = { 6a20 6a03 6a00 6a01 68???????? 8d4c2440 51 }
            // n = 7, score = 200
            //   6a20                 | push                0x20
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   68????????           |                     
            //   8d4c2440             | lea                 ecx, [esp + 0x40]
            //   51                   | push                ecx

        $sequence_7 = { 488bcf ff15???????? 488905???????? 4885c0 0f840ef2ffff }
            // n = 5, score = 100
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   488905????????       |                     
            //   4885c0               | lea                 edx, [esp + 0x20]
            //   0f840ef2ffff         | dec                 eax

        $sequence_8 = { 430fb6543d03 488be8 488d054e3d0000 488bc8 402ae8 ff15???????? }
            // n = 6, score = 100
            //   430fb6543d03         | je                  0xfffff214
            //   488be8               | xor                 edx, edx
            //   488d054e3d0000       | dec                 eax
            //   488bc8               | lea                 ecx, [ebp + 0x630]
            //   402ae8               | xor                 edx, edx
            //   ff15????????         |                     

        $sequence_9 = { 33d2 e8???????? 488d8d30060000 33d2 }
            // n = 4, score = 100
            //   33d2                 | mov                 ecx, edi
            //   e8????????           |                     
            //   488d8d30060000       | dec                 eax
            //   33d2                 | test                eax, eax

        $sequence_10 = { 488d8530060000 4803c6 03ce 803820 74f6 e9???????? }
            // n = 6, score = 100
            //   488d8530060000       | inc                 ecx
            //   4803c6               | mov                 byte ptr [ebp - 1], cl
            //   03ce                 | dec                 ebp
            //   803820               | cmp                 ecx, eax
            //   74f6                 | jl                  0xffffff50
            //   e9????????           |                     

        $sequence_11 = { 428a0c31 41884dff 4d3bc8 0f8c43ffffff 488b5c2428 }
            // n = 5, score = 100
            //   428a0c31             | inc                 ebx
            //   41884dff             | movzx               edx, byte ptr [ebp + edi + 3]
            //   4d3bc8               | dec                 eax
            //   0f8c43ffffff         | mov                 ebp, eax
            //   488b5c2428           | dec                 eax

        $sequence_12 = { bb68000000 488d8da0010000 33d2 448bc3 e8???????? }
            // n = 5, score = 100
            //   bb68000000           | lea                 eax, [0x3d4e]
            //   488d8da0010000       | dec                 eax
            //   33d2                 | mov                 ecx, eax
            //   448bc3               | inc                 eax
            //   e8????????           |                     

        $sequence_13 = { ff15???????? 4885c0 750c 488d8d8c030000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   4885c0               | sub                 ch, al
            //   750c                 | inc                 edx
            //   488d8d8c030000       | mov                 cl, byte ptr [ecx + esi]

        $sequence_14 = { 33d2 e8???????? 488d0d30500000 ff15???????? 488d542420 }
            // n = 5, score = 100
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   488d0d30500000       | dec                 eax
            //   ff15????????         |                     
            //   488d542420           | lea                 ecx, [0x5030]

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules