S0464 SYSCON
SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.12
| Item | Value |
|---|---|
| ID | S0464 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 02 June 2020 |
| Last Modified | 21 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.002 | File Transfer Protocols | SYSCON has the ability to use FTP in C2 communications.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SYSCON has the ability to execute commands through cmd on a compromised host.2 |
| enterprise | T1057 | Process Discovery | SYSCON has the ability to use Tasklist to list running processes.2 |
| enterprise | T1082 | System Information Discovery | SYSCON has the ability to use Systeminfo to identify system information.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | SYSCON has been executed by luring victims to open malicious e-mail attachments.1 |
References
-
Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. ↩↩↩
-
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. ↩↩↩↩↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩