SYSCON Backdoor Uses FTP as a Command & Control Server

A Critical Backdoor called “SYSCON” uses File Transfer Protocol ( FTP ) as a Command & Control Server unlike Traditional Command & Control Server that uses HTTPS or TCT/IP
Connections.

Using FTP Sever as a Command &  Control Server Provide several advantages for Researchers that leave the C&C traffic open for monitoring by others.

SYSCON Spreading Via Malicious Document with Macros targeted individuals may be connected to the Red Cross and the World Health Organization Especially Document mentions North Korea.

Researchers Detected The Malicious files in these cabinet files under the following detection names: BAT_SYSCON.A, BKDR_SYSCON.A, and TROJ_SYSCON.A.)

Accoring to Trend Micro, Documents somehow tied to North Korea were also used. We cannot eliminate the possibility that both Sanny and this new malware family were the work of the same threat actor.

Also Read : Hackers Hidden Backdoor Inside of Malicious WordPress Security Plugin

How Does SYSCON Uses FTP as a Command & Control Server

Each Malicious Documents Contains 2 Long Strings along with Base64 encoding  that using a custom alphabet which has already used by Sanny malware family.

Both Sanny and SYSCON Attacks are Very Similar Activites Such as their structure is similar, same Attack using Technique for its C&C Sever .

Both Malicious Files Contains a Cabinet File which has been Extrated by Decoding the Both string that has 32-Bit and 64-Bit Version.

The appropriate version (based on OS version) is extracted using  the expand  command into the %Temp% folder, and uacme.exe (one of the files in the cabinet file) is executed

Cabinet File Contain 5 Files and one of the file called “uacme.exe” Determines the OS Version which helps to Directly Execute the “install.bat” and  or inject “dummy.dll” into talkhost Process.

Install.bat copies two files: ipnet.dll (the main file) and ipnet.ini (configuration file) into %Windows%\System32, configures new malicious COMSysApp service using the sc command line utility, adds the service parameters into the registry, starts the malicious service, and deletes all previously created files in the %Temp% directory.

It Helps to sets up the backdoor’s autostart routine, and deletes some traces of its previous activity, making detection more difficult.

Once This Malware Triggered in the Victims Computer ,it first get the computer Identifier and login into the FTP Server using the credentials in the configuration file, enters the  /htdocs/  directory,  and monitors existing .txt file names.

After  Backdoor created in Victims Machine communication between the victim’s computer and the bot master is done via uploaded files.

IT administrators should be aware that connections to external FTP servers can signify not just data extraction, but C&C activity as well. Trend Micro Said.

Indicators of Compromise

Files with the following SHA256 hashes are connected to this attack, and are detected as W2KM_SYSCON.A:

34e968c067f6a360cc41a48b268c32a68421567f0329d4f9f8e2850fb4e27c8c
63ca182abb276e28aec60b9ef1eab5afc10bfb5df43f10a11438d8c0f7550c5c
a07251485a34dd128d80860737b86edd3eb851f57797f2f8fb6891a3cb7a81b3
cff8d961f3287f9ca75b65303075343bdbe63bb171d8f5b010bbf4fa30450fc4
f4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e

Files with the following SHA256 hashes are detected as BAT_SYSCON.A:

2c958cd3838fcae410785acb0acf5a542d281524b7820d719bb22ad7d9fcdc7c
e4226645bad95f20df55ef32193d72c9dafcf060c3360fd4e50b5c08a986a353
f01e440764b75b72cab8324ba754d89d50d819a1b2db82ca266f1c307541a2b0

Files with the following SHA256 hashes are detected as BKDR_SYSCON.A:

1f9afb142827773cefdb29f06ed90e0476c0185d4c8b337439b3be27e61ed982
65e4212507bb52e72e728559df5ad38a4d3673b28104be4b033e42b1c8a264e8
9b62a013b579f01e3c4c3caf3c9bc02eb338ce9859496e02016ba24b8908d59a
9be95f5954202d7b159c5db928851102f23eae88c087892663781cf8edc0753a
bec437d1979d16505ca8fc896fa8ce9794f655abd39145a82330343b59c142c5
cfb2161b5aebf0c674c845e2428e24373edd4c74a2fb15de527d6763a62dd74e

Files with the following SHA256 hashes are detected as TROJ_SYSCON.A:

25c08d5e77fada975f31a0e0807b7ea1064aae80f5de43790f6ada16159ae1c2
2d261eb478bafaabd7dc12752b1c0aadba491d045573fe2e24cdac5588e2c96b
2f6df307dbe54b8a62a35ea2941a7d033bfdfbb545a7872cb483aea77ec6a10b
3319a156c84e85a4447fa40b0f09aabb84092b5c3a152ad641ee5692741b9194
3fcda66e87eec4f90b50f360460fa46448249e6e177de7ff8f35848353acfaaa
65380ab72bb6aa6ffcd2ea781fe2fa4f863a1b4a61073da7da382210c163b0f9
7daec65f8fee86227d9f9c81ed00d07c46b44e37968bd2894dc74bf311c63651
b7c970f1f65850fa859549f2cf3c2284b80ec464496b34f09bc53c4456e10d1f
d495295466428a52263c8725070a9cf7c2446c6115bddc2de662949afd39f9a9