A Critical Backdoor called “SYSCON” uses File Transfer Protocol ( FTP ) as a Command & Control Server unlike Traditional Command & Control Server that uses HTTPS or TCT/IP
Connections.
Using FTP Sever as a Command & Control Server Provide several advantages for Researchers that leave the C&C traffic open for monitoring by others.
SYSCON Spreading Via Malicious Document with Macros targeted individuals may be connected to the Red Cross and the World Health Organization Especially Document mentions North Korea.
Researchers Detected The Malicious files in these cabinet files under the following detection names: BAT_SYSCON.A, BKDR_SYSCON.A, and TROJ_SYSCON.A.)
Accoring to Trend Micro, Documents somehow tied to North Korea were also used. We cannot eliminate the possibility that both Sanny and this new malware family were the work of the same threat actor.
Also Read : Hackers Hidden Backdoor Inside of Malicious WordPress Security Plugin
How Does SYSCON Uses FTP as a Command & Control Server
Each Malicious Documents Contains 2 Long Strings along with Base64 encoding that using a custom alphabet which has already used by Sanny malware family.
Both Sanny and SYSCON Attacks are Very Similar Activites Such as their structure is similar, same Attack using Technique for its C&C Sever .
Both Malicious Files Contains a Cabinet File which has been Extrated by Decoding the Both string that has 32-Bit and 64-Bit Version.
The appropriate version (based on OS version) is extracted using the expand command into the %Temp% folder, and uacme.exe (one of the files in the cabinet file) is executed
Cabinet File Contain 5 Files and one of the file called “uacme.exe” Determines the OS Version which helps to Directly Execute the “install.bat” and or inject “dummy.dll” into talkhost Process.