ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Syscon

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Syscon

NamesSyscon
Sanny
CategoryMalware
TypeBackdoor, Info stealer, Exfiltration
Description(Trend Micro) Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server.

Using an FTP server has some advantages. It is less common, and this fact may allow it to slip unnoticed by administrators and researchers. However, this also leaves the C&C traffic open for monitoring by others, including security researchers. In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/>
<https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

Previous: Sys10
Next: SystemBC

All groups using tool Syscon

ChangedNameCountryObserved

APT groups

 Honeybee[Unknown]2017 
 Reaper, APT 37, Ricochet Chollima, ScarCruftNorth Korea2012-Dec 2020X

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key