ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Syscon

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Syscon

NamesSyscon
SYSCON
Sanny
CategoryMalware
TypeBackdoor, Info stealer, Exfiltration
Description(Trend Micro) Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server.

Using an FTP server has some advantages. It is less common, and this fact may allow it to slip unnoticed by administrators and researchers. However, this also leaves the C&C traffic open for monitoring by others, including security researchers. In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/>
<https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/>
MITRE ATT&CK<https://attack.mitre.org/software/S0464/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

All groups using tool Syscon

ChangedNameCountryObserved

APT groups

 Honeybee[Unknown]2017 
XReaper, APT 37, Ricochet Chollima, ScarCruftNorth Korea2012-Sep 2024 HOTX

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]