Using FTP Sever as a Command & Control Server Provide several advantages for Researchers that leave the C&C traffic open for monitoring by others.
SYSCON Spreading Via Malicious Document with Macros targeted individuals may be connected to the Red Cross and the World Health Organization Especially Document mentions North Korea.
Researchers Detected The Malicious files in these cabinet files under the following detection names: BAT_SYSCON.A, BKDR_SYSCON.A, and TROJ_SYSCON.A.)
How Does SYSCON Uses FTP as a Command & Control Server
Each Malicious Documents Contains 2 Long Strings along with Base64 encoding that using a custom alphabet which has already used by Sanny malware family.
Both Sanny and SYSCON Attacks are Very Similar Activites Such as their structure is similar, same Attack using Technique for its C&C Sever .
Both Malicious Files Contains a Cabinet File which has been Extrated by Decoding the Both string that has 32-Bit and 64-Bit Version.
The appropriate version (based on OS version) is extracted using the expand command into the %Temp% folder, and uacme.exe (one of the files in the cabinet file) is executed
Cabinet File Contain 5 Files and one of the file called “uacme.exe” Determines the OS Version which helps to Directly Execute the “install.bat” and or inject “dummy.dll” into talkhost Process.
Install.bat copies two files: ipnet.dll (the main file) and ipnet.ini (configuration file) into %Windows%System32, configures new malicious COMSysApp service using the sc command line utility, adds the service parameters into the registry, starts the malicious service, and deletes all previously created files in the %Temp% directory.
It Helps to sets up the backdoor’s autostart routine, and deletes some traces of its previous activity, making detection more difficult.
Once This Malware Triggered in the Victims Computer ,it first get the computer Identifier and login into the FTP Server using the credentials in the configuration file, enters the /htdocs/ directory, and monitors existing .txt file names.
After Backdoor created in Victims Machine communication between the victim’s computer and the bot master is done via uploaded files.
IT administrators should be aware that connections to external FTP servers can signify not just data extraction, but C&C activity as well. Trend Micro Said.
Indicators of Compromise
Files with the following SHA256 hashes are connected to this attack, and are detected as W2KM_SYSCON.A:
Files with the following SHA256 hashes are detected as BAT_SYSCON.A:
Files with the following SHA256 hashes are detected as BKDR_SYSCON.A:
Files with the following SHA256 hashes are detected as TROJ_SYSCON.A: