1. Home
  2. Software
  3. SYSCON

SYSCON

SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.[1][2]

ID: S0464
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 02 June 2020
Last Modified: 21 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

SYSCON has the ability to execute commands through cmd on a compromised host.[2]
Enterprise T1071 .002 应用层协议: File Transfer Protocols

SYSCON has the ability to use FTP in C2 communications.[1][2]
Enterprise T1204 .002 用户执行: Malicious File

SYSCON has been executed by luring victims to open malicious e-mail attachments.[1]
Enterprise T1082 系统信息发现

SYSCON has the ability to use Systeminfo to identify system information.[2]
Enterprise T1057 进程发现

SYSCON has the ability to use Tasklist to list running processes.[2]

Campaigns

ID Name Description
C0006 Operation Honeybee

Operation Honeybee included the use of an upgraded version of SYSCON.[3]

References

  1. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  2. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.