{
	"id": "eff89677-edd5-4f2d-8b67-0c82083093d9",
	"created_at": "2026-04-06T00:09:34.122164Z",
	"updated_at": "2026-04-10T03:19:58.231898Z",
	"deleted_at": null,
	"sha1_hash": "5424ea31cd6d2204efb2ca3f2e3714a26c19ac9a",
	"title": "SYSCON Backdoor Uses FTP as a C\u0026C Channel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84777,
	"plain_text": "SYSCON Backdoor Uses FTP as a C\u0026C Channel\r\nBy Jaromir Horejsi ( words)\r\nPublished: 2017-10-05 · Archived: 2026-04-05 22:01:54 UTC\r\nBots can use various methods to establish a line of communication between themselves and their command-and-control\r\n(C\u0026C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet\r\nthat uses a more unusual method: an FTP server that, in effect, acts as a C\u0026C server.\r\nUsing an FTP server has some advantages. It is less common, and this fact may allow it to slip unnoticed by administrators\r\nand researchers. However, this also leaves the C\u0026C traffic open for monitoring by others, including security researchers. In\r\naddition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.\r\nInfection ChainThe infection chain starts with a malicious document with macros. The examples of delivery documents are\r\nshown below. The documents suggest that targeted individuals may be connected to the Red Crossopen on a new tab and\r\nthe World Health Organizationopen on a new tab. All the documents mention North Korea as well. We detect these delivery\r\ndocuments as W2KM_SYSCON.A.\r\nintel intel intel\r\nFigures 1-3. Delivery documents with macros (Click to enlarge)\r\nEach document contains two long strings, with Base64 encoding using a custom alphabet. This same technique was used to\r\ndeliver the Sanny malware familyopen on a new tab in late 2012.\r\nintel\r\nFigure 4. Base64 decoded function with custom alphabet highlighted\r\nIts similarities with the earlier Sanny attack are interesting. Both attacks used relatively unusual techniques for their C\u0026C\r\nserver, their structure is similar, and the encoding key is identical. Documents somehow tied to North Korea were also used.\r\nWe cannot eliminate the possibility that both Sanny and this new malware family were the work of the same threat actor.\r\nDecoding each Base64 string results in a cabinetopen on a new tab file. One string contains a 32-bit version of the malware;\r\nthe other contains a 64-bit version. The appropriate version (based on OS version) is extracted using the expand command\r\ninto the %Temp% folder, and uacme.exe (one of the files in the cabinet file) is executed. (We detect the malicious files in\r\nthese cabinet files under the following detection names: BAT_SYSCON.A, BKDR_SYSCON.A, and TROJ_SYSCON.A.)\r\nintel\r\nFigure 5. Command to extract cabinet archive and execute its contents (Click to enlarge)\r\nintel\r\nFigure 6. Listing of all files in cabinet archive\r\nUAC bypass and installationUacme.exe, as the name suggests, determines the operating system version. Based on that\r\ninformation, it either directly executes install.bat (for older Windows versions) or injects dummy.dll into\r\nthe taskhost(ex) process, which attempts to execute install.bat without a UAC promptopen on a new tab appearing.\r\nintel\r\nFigure 7. uacme.exe and UAC bypass\r\nInstall.bat copies two files: ipnet.dll (the main file) and ipnet.ini (configuration file) into %Windows%\\System32, configures\r\nnew malicious COMSysApp service using the scopen on a new tab command line utility, adds the service parameters into the\r\nregistry, starts the malicious service, and deletes all previously created files in the %Temp% directory. This does two things:\r\nit sets up the backdoor’s autostart routine, and deletes some traces of its previous activity, making detection more difficult.\r\nintel\r\nFigure 8. Service installation\r\nImportant parameters for the service configuration are “type=own”, which according to MSDN documentation means that it\r\nhas its own svchost.exe process in which the ipnet.dll runs. The parameter “start = auto” starts the service every time the\r\ncomputer is restarted.\r\nIpnet.ini is a text file encoded in the same way as the two cabinet files.\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/\r\nPage 1 of 4\n\nintel\r\nFigure 9. Configuration file\r\nDecoding the configuration reveals a URL for the byethostopen on a new tab free FTP service provider, as well as a set of\r\nlogin credentials.\r\nThe backdoorThe malware first gets the computer name, which it uses as the affected machine’s identifier. It then logs into\r\nthe FTP server using the credentials in the configuration file, enters the /htdocs/ directory, and monitors existing .txt file\r\nnames. If the file name contains “To EVERYONE”, it means that the file should be processed by everyone. If it contains “to\r\ncomputer_name”, then the file should be processed (and later deleted) only by the victim computer with the matching\r\ncomputer_name.\r\nAfter the backdoor processes the command, it lists all the currently running processes by calling “cmd /c tasklist \u003e%ws”,\r\nwhich is then packed, encoded and uploaded to FTP under following name pattern “From %s (%02d-%02d %02d-%02d-\r\n%02d).txt”, i.e. computer name followed by date and time of the task execution.\r\nintel\r\nFigure 10. Construction of name of the uploaded file\r\nThis shows that the communication between the victim’s computer and the bot master is done via uploaded files. However,\r\nthe files are generally zipped and encoded with the same custom Base64 encoding used earlier.\r\nCompression of the files is done using the Shell Automation Serviceopen on a new tab, which is part of Windows itself. No\r\nexternal library is needed. The malware first creates a 22-byte long empty .zip file by executing the instructions below. The\r\ncontent of the newly created .zip file in hex is “504b0506000000000000000000000000000000000000”, which is basically\r\nan empty .zip archive.\r\nintel\r\nFigure 11. Instructions creating empty .zip file\r\nintel\r\nFigure 12. Empty .zip file opened in Explorer\r\nThe malware then uses the Folder.CopyHere method to copy files into the empty .zip archive, so these files are compressed\r\nby the operating system. According to MSDN documentation, these are the flags used while copying:\r\n0x1000 = Only operate in the local directory. Do not operate recursively into subdirectories.\r\n0x0400 = Do not display a user interface if an error occurs.\r\n0x0010 = Respond with “Yes to All” for any dialog box that is displayed.\r\n0x0004 = Do not display a progress dialog box.\r\nintel\r\nFigure 13. Flags used by Folder.CopyHere  method\r\nThese flags ensure that no dialog box appears and no errors are shown to the victim. All these operations remain hidden in\r\nthe background. After compression is finished, the compressed files are encoded with Base64 and uploaded to the FTP\r\nserver. For downloading files from FTP server, the reverse operations would be performed by the threat actor.\r\nC\u0026C communication protocolBots listen to and can process several supported commands:\r\nCommand Meaning of command\r\ncmd /c pull /f\r\n\u003cfile_name\u003e\r\ncopy \u003cfile_name\u003e to temp.ini, pack it to temp.zip, encode and upload\r\ncmd /c pull\r\n\u003cfile_name\u003e\r\npack \u003cfile_name\u003e to temp.zip, encode and upload  \r\ncmd /c chip \u003cstring\u003e delete config file, write \u003cstring\u003e to the new config file  \r\ncmd /c put\r\n\u003cnew_file_name\u003e\r\nput file from #\u003ccontent\u003e# to the given path on infected system  \r\ncmd /c \u003ccommand\u003e\r\n\u003e \u003cfile\u003e\r\nexecute command and redirect its output to file, file gets zipped, encoded, uploaded\r\ncmd /c \u003ccommand\u003e execute command; do not report about it back to c2  \r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/\r\nPage 2 of 4\n\n\u003cparameters\u003e\r\nparameters to previously downloaded \u003cfile\u003e, called \u003cfile\u003e \u003cparameters\u003e using Winexecopen\r\non a new tab API, flag Show=SW_HIDEopen on a new tab\r\n/user \u003cparameters\u003e\r\nexecute previously downloaded \u003cfile\u003e, called \u003cfile\u003e \u003cparameters\u003e;  do not report about it back\r\nto c2; use CreateProcessAsUseropen on a new tab\r\n/user \u003cparameters\u003e\r\n/stext\r\nexecute previously downloaded \u003cfile\u003e, called \u003cfile\u003e \u003cparameters\u003e /stext\r\n“%APPDATA%\\Temp\\Temp.ini“, result gets zipped, encoded, uploaded; misuses parameters\r\nfrom Nirsoft’sopen on a new tab utilities; use CreateProcessAsUseropen on a new tab\r\n#\u003ccontent\u003e# \u003cfile\u003e, which is unzip(base64decode ( \u003ccontent\u003e ) )\r\nTable 1. C\u0026C commands\r\nintel\r\nFigure 14. Processing C\u0026C commands\r\nHere are some examples of commands that could be issued using this method: Example 1 Command:\r\nintel\r\nEncoded as:\r\nIxXDK=NK2KKQK=zK2KXxKB-K0KXTKUKKIxKeKPxKINX8KBNK0xXpKBWKnNX6KUjKIWXZKBNK\r\nResult:\r\n-yT/XXNKKKKKKyD8J6G=UtS6=KKKKXWKKKKzKKKKIVSH0hSjnbz1IFPH-OSi2yR80b8M2=nA0=-\r\nWnFYJ2yM-SORi-yTXKZNKPKKKKKKKu4VtdTI2AbzIKKKK=KKKKKxKKKKKKKKKKNKWKKKKKKKKK=P8C=Ypr=S6LF9ZCPXLXNIKKKKKKNKXK/\r\nThis result contains the contents of the autoexec.bat file. Example 2 Command:\r\nintel\r\nEncoded as:\r\nIxXDK=NK2KKQK=zK2KX6K=NK2KKQK=NK2KX/K/7KVKKWKUIK9WKWK=NKwNXJKUKKLxXQKUHKnKKQKBzK2KK5KUjKtWKW\r\nResult:\r\n-yT/XXNKKKK2KyHRLOQ26PNrulo0KPtgJWK2KKKKC=SDoUMA0FczVC81jHAJQpYW4j=VU-LAYKl……..\r\nThis results in a file with a list of all files in C:\\, sorted from newest to oldest. Example 3 Command:\r\n#…encoded file…#LxX8KBzKnNXJKUKKLxXhK=-\r\noWX3K=OK0xX1KUKKzNKHKUKKLxX3KBNKnNXjKBNKKKKv\r\nDecoded as:\r\nintel\r\nResult:\r\nIn this case, attacker sent an encoded version of Nirsoft’sopen on a new tab utility mailpv.exeopen on a new tab, which was\r\nthen executed with parameters above.\r\nMistakes in malware codeThe command processing loop contains what appears to be a typo or mistake. The malware treats\r\nthe command-and-control commands as strings in wide characteropen on a new tab format. The second wsprintfAopen on a\r\nnew tab function in the snippet below has the first format parameter “%s”, which should actually be “%ws”. Because of\r\nthis, only the first character of lpExistingFileName is propagated into \u0026CommandLine, preventing the process from\r\nexecuting because of the incorrect file name.\r\nintel\r\nFigure 15. Code snippet with a typo (Click to enlarge)\r\nConclusionIt is interesting to see something atypical, like C\u0026C communication via FTP. While the malware authors\r\nprobably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized\r\nthis would make it very easy to monitor their actions and victims’ data.\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/\r\nPage 3 of 4\n\nIT administrators should be aware that connections to external FTP servers can signify not just data extraction, but C\u0026C\r\nactivity as well. Either way, if this kind of network activity is not necessary for business functions, blocking it should be\r\nconsidered.\r\nIndicators of CompromiseFiles with the following SHA256 hashes are connected to this attack, and are detected\r\nas W2KM_SYSCON.A:\r\n34e968c067f6a360cc41a48b268c32a68421567f0329d4f9f8e2850fb4e27c8c\r\n63ca182abb276e28aec60b9ef1eab5afc10bfb5df43f10a11438d8c0f7550c5c\r\na07251485a34dd128d80860737b86edd3eb851f57797f2f8fb6891a3cb7a81b3\r\ncff8d961f3287f9ca75b65303075343bdbe63bb171d8f5b010bbf4fa30450fc4\r\nf4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e\r\nFiles with the following SHA256 hashes are detected as BAT_SYSCON.A:\r\n2c958cd3838fcae410785acb0acf5a542d281524b7820d719bb22ad7d9fcdc7c\r\ne4226645bad95f20df55ef32193d72c9dafcf060c3360fd4e50b5c08a986a353\r\nf01e440764b75b72cab8324ba754d89d50d819a1b2db82ca266f1c307541a2b0\r\nFiles with the following SHA256 hashes are detected as BKDR_SYSCON.A:\r\n1f9afb142827773cefdb29f06ed90e0476c0185d4c8b337439b3be27e61ed982\r\n65e4212507bb52e72e728559df5ad38a4d3673b28104be4b033e42b1c8a264e8\r\n9b62a013b579f01e3c4c3caf3c9bc02eb338ce9859496e02016ba24b8908d59a\r\n9be95f5954202d7b159c5db928851102f23eae88c087892663781cf8edc0753a\r\nbec437d1979d16505ca8fc896fa8ce9794f655abd39145a82330343b59c142c5\r\ncfb2161b5aebf0c674c845e2428e24373edd4c74a2fb15de527d6763a62dd74e\r\nFiles with the following SHA256 hashes are detected as TROJ_SYSCON.A:\r\n25c08d5e77fada975f31a0e0807b7ea1064aae80f5de43790f6ada16159ae1c2\r\n2d261eb478bafaabd7dc12752b1c0aadba491d045573fe2e24cdac5588e2c96b\r\n2f6df307dbe54b8a62a35ea2941a7d033bfdfbb545a7872cb483aea77ec6a10b\r\n3319a156c84e85a4447fa40b0f09aabb84092b5c3a152ad641ee5692741b9194\r\n3fcda66e87eec4f90b50f360460fa46448249e6e177de7ff8f35848353acfaaa\r\n65380ab72bb6aa6ffcd2ea781fe2fa4f863a1b4a61073da7da382210c163b0f9\r\n7daec65f8fee86227d9f9c81ed00d07c46b44e37968bd2894dc74bf311c63651\r\nb7c970f1f65850fa859549f2cf3c2284b80ec464496b34f09bc53c4456e10d1f\r\nd495295466428a52263c8725070a9cf7c2446c6115bddc2de662949afd39f9a9\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/"
	],
	"report_names": [
		"syscon-backdoor-uses-ftp-as-a-cc-channel"
	],
	"threat_actors": [],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5424ea31cd6d2204efb2ca3f2e3714a26c19ac9a.pdf",
		"text": "https://archive.orkl.eu/5424ea31cd6d2204efb2ca3f2e3714a26c19ac9a.txt",
		"img": "https://archive.orkl.eu/5424ea31cd6d2204efb2ca3f2e3714a26c19ac9a.jpg"
	}
}