SYMBOLCOMMON_NAMEaka. SYNONYMS
win.syscon (Back to overview)

Syscon

SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

References
2020-01-23Palo Alto Networks Unit 42Adrian McCabe, Unit42
@online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks
CARROTBALL CarrotBat Syscon
2018-03-02McAfeeRyan Sherstobitoff, Jessica Saavedra-Morales, Thomas Roccia, Asheer Malhotra
@online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Syscon
2017-10-05Trend MicroJaromír Hořejší
@online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } SYSCON Backdoor Uses FTP as a C&C Channel
Syscon
Yara Rules
[TLP:WHITE] win_syscon_auto (20230715 | Detects win.syscon.)
rule win_syscon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.syscon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? ffd6 eb0c 53 }
            // n = 4, score = 200
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   eb0c                 | jmp                 0xe
            //   53                   | push                ebx

        $sequence_1 = { 8bd6 2bd7 42 52 }
            // n = 4, score = 200
            //   8bd6                 | mov                 edx, esi
            //   2bd7                 | sub                 edx, edi
            //   42                   | inc                 edx
            //   52                   | push                edx

        $sequence_2 = { 8b3d???????? 68???????? ffd7 6800010000 6a00 68???????? c744242000000000 }
            // n = 7, score = 200
            //   8b3d????????         |                     
            //   68????????           |                     
            //   ffd7                 | call                edi
            //   6800010000           | push                0x100
            //   6a00                 | push                0
            //   68????????           |                     
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0

        $sequence_3 = { 2bc3 40 50 53 68???????? ffd6 }
            // n = 6, score = 200
            //   2bc3                 | sub                 eax, ebx
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68????????           |                     
            //   ffd6                 | call                esi

        $sequence_4 = { a3???????? a1???????? 68???????? 50 c705????????10000000 ff15???????? }
            // n = 6, score = 200
            //   a3????????           |                     
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   c705????????10000000     |     
            //   ff15????????         |                     

        $sequence_5 = { 51 2ac2 52 8845ff }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   2ac2                 | sub                 al, dl
            //   52                   | push                edx
            //   8845ff               | mov                 byte ptr [ebp - 1], al

        $sequence_6 = { c705????????01000000 c705????????04000000 891d???????? 891d???????? c705????????10000000 }
            // n = 5, score = 200
            //   c705????????01000000     |     
            //   c705????????04000000     |     
            //   891d????????         |                     
            //   891d????????         |                     
            //   c705????????10000000     |     

        $sequence_7 = { 56 8b35???????? 68???????? ffd6 33db 53 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8b35????????         |                     
            //   68????????           |                     
            //   ffd6                 | call                esi
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx

        $sequence_8 = { 448bc0 e8???????? 488d4c2420 ff15???????? 33db }
            // n = 5, score = 100
            //   448bc0               | mov                 eax, eax
            //   e8????????           |                     
            //   488d4c2420           | dec                 eax
            //   ff15????????         |                     
            //   33db                 | mov                 dword ptr [esp + 0x28], ebx

        $sequence_9 = { 488d4c2420 ff15???????? 488bf8 4885c0 0f84dbf3ffff }
            // n = 5, score = 100
            //   488d4c2420           | inc                 esp
            //   ff15????????         |                     
            //   488bf8               | mov                 eax, eax
            //   4885c0               | dec                 eax
            //   0f84dbf3ffff         | lea                 ecx, [esp + 0x20]

        $sequence_10 = { 488d0d3a520000 ff15???????? 488d542420 488d0d28520000 448bc0 e8???????? }
            // n = 6, score = 100
            //   488d0d3a520000       | dec                 eax
            //   ff15????????         |                     
            //   488d542420           | lea                 edx, [esp + 0x20]
            //   488d0d28520000       | dec                 eax
            //   448bc0               | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_11 = { e9???????? 33d2 488bc8 ff15???????? 488bcb 8bf8 ff15???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   33d2                 | lea                 edx, [esp + 0x20]
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488bcb               | lea                 ecx, [0x5228]
            //   8bf8                 | inc                 esp
            //   ff15????????         |                     

        $sequence_12 = { 488d0d8c510000 448bc0 e8???????? 488d542420 488bcf ff15???????? 488905???????? }
            // n = 7, score = 100
            //   488d0d8c510000       | dec                 eax
            //   448bc0               | lea                 ecx, [0x518c]
            //   e8????????           |                     
            //   488d542420           | inc                 esp
            //   488bcf               | mov                 eax, eax
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_13 = { e8???????? 48393d???????? 7427 33d2 8bcb e8???????? eb1c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48393d????????       |                     
            //   7427                 | je                  0x29
            //   33d2                 | xor                 edx, edx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   eb1c                 | jmp                 0x1e

        $sequence_14 = { 48895c2428 895c2420 ff15???????? 4c8be0 }
            // n = 4, score = 100
            //   48895c2428           | dec                 eax
            //   895c2420             | lea                 ecx, [0x523a]
            //   ff15????????         |                     
            //   4c8be0               | dec                 eax

        $sequence_15 = { 488d8d90050000 4d8bc6 33d2 e8???????? 0fb74c2448 0fb7542446 }
            // n = 6, score = 100
            //   488d8d90050000       | dec                 eax
            //   4d8bc6               | mov                 ecx, eax
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   0fb74c2448           | mov                 ecx, ebx
            //   0fb7542446           | mov                 edi, eax

    condition:
        7 of them and filesize < 120832
}
[TLP:WHITE] win_syscon_w0   (20170809 | No description)
import "pe"

rule win_syscon_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://goo.gl/JAHZVL"
        date = "2018-03-03"
        hash = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
        hash = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
        hash = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
        hash = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon"
        malpedia_version = "20170809"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
        $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
        $x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
        $x4 = "D:\\Task\\MiMul\\" ascii

        $s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
        $s2 = "cmd /c systeminfo >%s" fullword ascii
        $s3 = "post.txt" fullword ascii
        $s4 = "\\temp.ini" fullword ascii
        $s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
        $s6 = "ComSysAppMutex" fullword ascii
        $s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
        $s8 = "%s %s %c%s%c" fullword ascii
        $s9 = "TO EVERYONE" fullword ascii
    condition:
        pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or pe.imphash() == "64400f452e2f60305c341e08f217b02c" or 1 of ($x*) or 3 of them
}
Download all Yara Rules