Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Backdoor Uses FTP Server as C&C

A newly detailed backdoor is using an FTP server for command and control (C&C) purposes, Trend Micro security researchers warn.

A newly detailed backdoor is using an FTP server for command and control (C&C) purposes, Trend Micro security researchers warn.

Dubbed SYSCON, the malware is being distributed through malicious documents containing macros. All of these documents mention North Korea and appear to be targeted at individuals connected to the Red Cross and the World Health Organization.

The use of an FTP server for C&C is rather unusual for a botnet, thus possibly slipping unnoticed by administrators and researchers. While this is a clear advantage, the fact that it leaves traffic open for monitoring is a great downside.

Trend Micro also discovered that SYSCON’s authors made a coding mistake that resulted in the backdoor sometimes executing the wrong commands.

The documents carrying the malware feature two long strings, with Base64 encoding using a custom alphabet, a technique used to deliver the Sanny malware family in late 2012. Sanny too leveraged relatively unusual techniques for C&C, had a similar structure, and used an identical encoding key, which could suggest that the same threat actor is behind the new backdoor.

The Base64 strings are cabinet files containing the 32-bit and 64-bit versions of the malware, with the appropriate one (based on OS) being extracted into the %Temp% folder, after which one of the files in the cabinet (uacme.exe) is executed.

The executed file determines the operating system version and either directly executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.

The BAT file was designed to inject the main malware module and the configuration file into %Windows%System32, and to achieve persistence. For that, it configures a new COMSysApp service, adds the service parameters into the registry, and starts the service. It also deletes all previously created files in the %Temp% directory.

After execution, the malware gets the computer name and uses it as an identifier, then logs into the FTP server using credentials stored in the configuration file. The attackers use the byethost free FTP service provider, the researchers discovered.

On the FTP server, commands are stored in .txt files, either meant to be processed by all bots or by specific victim computers. After processing a command, the backdoor lists all currently running processes, then sends the data to the server. Transmitted files are generally zipped and encoded with the same custom Base64 encoding used earlier.

Supported commands include: copy file to temp.ini, pack it to temp.zip, encode and upload; pack file to temp.zip, encode and upload; delete config file, write string to the new config file; put file to the given path on infected system; execute command but don’t report back; and execute downloaded file, among others.

The command processing loop contains what appears to be a typo or mistake, the researchers say. They explain that, while the malware treats the commands as strings in wide character format, a parameter in one of the functions has an incorrect file name, thus preventing the process from executing.

“It is interesting to see something atypical, like C&C communication via FTP. While the malware authors probably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized this would make it very easy to monitor their actions and victims’ data,” Trend Micro concludes.

Related: Chrome to Label FTP Resources as “Not Secure”

Related: New Windows Backdoor Linked to SambaCry Linux Malware

Related: Backdoor Uses FFmpeg Application to Spy on Victims

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack