The SYSCON backdoor has been in use since at least 2017 and has been associated with campaigns involving North Korean threat groups. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers and affects the Windows operating system.
SYSCON has the ability to execute commands through cmd on a compromised host, use Systeminfo to identify system information, use FTP in C2 communications, and use Tasklist to list running processes. SYSCON has been executed by luring victims to open malicious e-mail attachments.
SYSCON Malware Capabilities
- The SYSCON malware may abuse the Windows command shell for execution. This allows the adversary to control almost any aspect of the system, including remotely via SSH. The SYSCON malware may also use information discovery to shape follow-on behaviors. Finally, SYSCON may communicate using application layer protocols associated with transferring files, which allows it to blend in with normal network traffic.
Ways to Mitigate SYSCON Malware Attacks
- The SYSCON malware attack can be mitigated by restricting the usage of Windows command shell, capturing scripts from the file system, and analyzing network data for unusual data flows. These measures will help to identify suspicious activity and prevent further damage.