Today, Trend Micro released a blog post regarding malware it refers to as "SYSCON" which uses the file transfer protocol (FTP) as a command and control (C2) channel. The blog notes likely targeting of the Red Cross and World Health Organization based on lure documents used to deliver the malware. The Cyber Intelligence and Policy Project (CIPP) was able to identify significant overlap between what is described in Trend Micro's post and operations referred to in previous public reporting that used the malware known as "KONNI."
Similarities Between SYSCON and KONNI
At a code level the overlap between SYSCON and KONNI is in the custom Base64 alphabet used by the malicious Word documents used to drop SYSCON.
Although the sample was not shared, Hybrid Analysis shows that it drops a DLL (errorevent.dll; MD5: 38ead1e8ffd5b357e879d7cb8f467508) and an EXE (stify.exe; MD5: 849f3ffae4fd7ab9954a6fcaec2706dc4355a637) both of which are noted in an August blog post by Fortinet on KONNI.
Furthermore, the strings from Hybrid Analysis show the following PDB paths:
These PDB paths closely match those of files listed in the original blog post by Talos on KONNI malware. However, it is notable that the PDB paths from the August 29 document and the ones from files from the original Talos KONNI post indicate that the actor is actively developing the malware.
A more generic similarity between SYSCON and KONNI is the use of North Korean themes in the lure documents. Most previously reported KONNI incidents have used content related to North Korea in their lures although there is limited reporting of Russia-focused lures as well.
Possible Connection to "Sanny" Malware
Trend Micro notes some similarity between the SYSCON activity and malware FireEye referred to as "Sanny" in a 2012 blog post. CIPP is not able to bolster this theory at a code level. However, the 2012 Sanny blog post describes targeting of telecommunications, research, education, and aerospace industries in Russia. The Russia-focused KONNI lure may offer some more credence to Trend Micro's theory on a connection to Sanny. If this is it is true that Sanny, KONNI, and SYSCON are all linked to the same actor it reveals a multi-year long cyber espionage operation whose target profile appears to have evolved over time.
- 3131.doc (a0d66962dfc35b0cf49442f8ee6062d3) (Recent SYSCON document)
- 12 things Trump should know about North Korea.doc (834d3b0ce76b3f62ff87b7d6f2f9cc9b) (Recent KONNI document)
Recently Reported KONNI Malware C2 Domains (SYSCON C2 not currently known:
- Sanny: Russia (telecommunications, research, education, and aerospace)
- SYSCON: International health organizations (Red Cross and WHO) (unconfirmed, indicated via lure content)
- KONNI: Unconfirmed, but possibly overlapping with targets listed above
Related Public Reporting:
- http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/ (SYSCON)
- http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html (KONNI)
- http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html (KONNI)
- https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant (KONNI)
- https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html (Sanny)