SYSCON Backdoor Uses FTP as a C2 Channel

A botnet has been found that uses an unusual method for its bots to communicate to a Command and Control (C2) server. A machine infected with the “SYSCON” backdoor has been identified to use an FTP server for communication as well as a C2 server. The SYSCON backdoor is distributed by attackers via malicious documents with macros. The FTP server tactics can potentially allow malicious activity to be overlooked, however, this method will also leave C2 traffic open to being monitored.

Remediation

  • All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified.
  • To prevent the backdoor being used, FTP traffic should be blocked if it is not necessary for business purposes.

Affected Platforms

Microsoft Windows – all versions

Indicators of Compromise

SHA256 hashes 

  • 34e968c067f6a360cc41a48b268c32a68421567f0329d4f9f8e2850fb4e27c8c
  • 63ca182abb276e28aec60b9ef1eab5afc10bfb5df43f10a11438d8c0f7550c5c
  • a07251485a34dd128d80860737b86edd3eb851f57797f2f8fb6891a3cb7a81b3
  • cff8d961f3287f9ca75b65303075343bdbe63bb171d8f5b010bbf4fa30450fc4
  • f4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e
  • 2c958cd3838fcae410785acb0acf5a542d281524b7820d719bb22ad7d9fcdc7c
  • e4226645bad95f20df55ef32193d72c9dafcf060c3360fd4e50b5c08a986a353
  • f01e440764b75b72cab8324ba754d89d50d819a1b2db82ca266f1c307541a2b0
  • 1f9afb142827773cefdb29f06ed90e0476c0185d4c8b337439b3be27e61ed982
  • 65e4212507bb52e72e728559df5ad38a4d3673b28104be4b033e42b1c8a264e8
  • 9b62a013b579f01e3c4c3caf3c9bc02eb338ce9859496e02016ba24b8908d59a
  • 9be95f5954202d7b159c5db928851102f23eae88c087892663781cf8edc0753a
  • bec437d1979d16505ca8fc896fa8ce9794f655abd39145a82330343b59c142c5
  • cfb2161b5aebf0c674c845e2428e24373edd4c74a2fb15de527d6763a62dd74e
  • 25c08d5e77fada975f31a0e0807b7ea1064aae80f5de43790f6ada16159ae1c2
  • 2d261eb478bafaabd7dc12752b1c0aadba491d045573fe2e24cdac5588e2c96b
  • 2f6df307dbe54b8a62a35ea2941a7d033bfdfbb545a7872cb483aea77ec6a10b
  • 3319a156c84e85a4447fa40b0f09aabb84092b5c3a152ad641ee5692741b9194
  • 3fcda66e87eec4f90b50f360460fa46448249e6e177de7ff8f35848353acfaaa
  • 65380ab72bb6aa6ffcd2ea781fe2fa4f863a1b4a61073da7da382210c163b0f9
  • 7daec65f8fee86227d9f9c81ed00d07c46b44e37968bd2894dc74bf311c63651
  • b7c970f1f65850fa859549f2cf3c2284b80ec464496b34f09bc53c4456e10d1f
  • d495295466428a52263c8725070a9cf7c2446c6115bddc2de662949afd39f9a9





Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: