Recent Report on SYSCON Malware Reveals Overlaps with KONNI Malware Campaigns

Overview

Today, Trend Micro released a blog post regarding malware it refers to as "SYSCON" which uses the file transfer protocol (FTP) as a command and control (C2) channel. The blog notes likely targeting of the Red Cross and World Health Organization based on lure documents used to deliver the malware.  The Cyber Intelligence and Policy Project (CIPP) was able to identify significant overlap between what is described in Trend Micro's post and operations referred to in previous public reporting that used the malware known as "KONNI."

Similarities Between SYSCON and KONNI

At a code level the overlap between SYSCON and KONNI is in the custom Base64 alphabet used by the malicious Word documents used to drop SYSCON. 

KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv

The same alphabet is present in a file submitted to the Hybrid Analysis platform on August 29, 2017. VirusTotal data indicates that this document was created during August 2017. 

Screen Shot 2017-10-05 at 1.20.29 PM.png

Although the sample was not shared, Hybrid Analysis shows that it drops a DLL (errorevent.dll; MD5: 38ead1e8ffd5b357e879d7cb8f467508) and an EXE (stify.exe; MD5: 849f3ffae4fd7ab9954a6fcaec2706dc4355a637) both of which are noted in an August blog post by Fortinet on KONNI.

Furthermore, the strings from Hybrid Analysis show the following PDB paths:

F:\0_work\_programe\worm scout\Doc7\Release\Doc.pdb
F:\0_work\planes\2017\0626\virus-load\_Result\virus-dll.pdb

These PDB paths closely match those of files listed in the original blog post by Talos on KONNI malware. However, it is notable that the PDB paths from the August 29 document and the ones from files from the original Talos KONNI post indicate that the actor is actively developing the malware.

A more generic similarity between SYSCON and KONNI is the use of North Korean themes in the lure documents. Most previously reported KONNI incidents have used content related to North Korea in their lures although there is limited reporting of Russia-focused lures as well. 

Possible Connection to "Sanny" Malware

Trend Micro notes some similarity between the SYSCON activity and malware FireEye referred to as "Sanny" in a 2012 blog post. CIPP is not able to bolster this theory at a code level. However, the 2012 Sanny blog post describes targeting of telecommunications, research, education, and aerospace industries in Russia. The Russia-focused KONNI lure may offer some more credence to Trend Micro's theory on a connection to Sanny. If this is it is true that Sanny, KONNI, and SYSCON are all linked to the same actor it reveals a multi-year long cyber espionage operation whose target profile appears to have evolved over time.

Details

Exploit Document:

Recently Reported KONNI Malware C2 Domains (SYSCON C2 not currently known:

  • donkeydancehome.freeiz[.]com
  • seesionerrorwebmailattach.uphero[.]com
  • member-daumchk.netai[.]net

Targeting:

  • Sanny: Russia (telecommunications, research, education, and aerospace)
  • SYSCON: International health organizations (Red Cross and WHO) (unconfirmed, indicated via lure content)
  • KONNI: Unconfirmed, but possibly overlapping with targets listed above

Related Public Reporting:

  • http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/ (SYSCON)
  • http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html (KONNI)
  • http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html (KONNI)
  • https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant (KONNI)
  • https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html (Sanny)

Actor/Campaign:

  • KONNI