Hidden in Plain Sight: Backdoor Uses FTP Server

Monday, October 9, 2017 @ 04:10 PM gHale

A backdoor is using an FTP server for command and control (C&C) purposes, researchers said.

The malware, called SYSCON, is going out through malicious documents containing macros, said researchers at Trend Micro.

Cisco Fixes Backdoor
Iran Focuses on Aerospace, Energy: Report
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed

All of these documents mention North Korea and appear to be targeted at individuals connected to the Red Cross and the World Health Organization.

For a botnet, using a FTP server for C&C is unusual. By doing that, it could be possible for it to go unnoticed by administrators and researchers.

SYSCON’s authors made a coding mistake that resulted in the backdoor sometimes executing the wrong commands, said Jaromir Horejsi, a threat researcher at Trend Micro, in a blog post.

The documents carrying the malware feature two long strings, with Base64 encoding using a custom alphabet.

“This same technique was used to deliver the Sanny malware family in late 2012,” Horejsi said.

Sanny also leveraged techniques for C&C, had a similar structure, and used an identical encoding key, which could suggest the same threat actor is behind the new backdoor.

The Base64 strings are cabinet files containing the 32-bit and 64-bit versions of the malware, with the appropriate one (based on OS) being extracted into the %Temp% folder, after which one of the files in the cabinet (uacme.exe) ends up executed.

The executed file determines the operating system version and either directly executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.

The BAT file was designed to inject the main malware module and the configuration file into %Windows%\System32, and to achieve persistence. For that, it configures a new COMSysApp service, adds the service parameters into the registry, and starts the service. It also deletes all previously created files in the %Temp% directory.

After execution, the malware gets the computer name and uses it as an identifier, then logs into the FTP server using credentials stored in the configuration file. The attackers use the byethost free FTP service provider, the researchers discovered.

On the FTP server, commands are stored in .txt files, either meant to be processed by all bots or by specific victim computers. After processing a command, the backdoor lists all currently running processes, then sends the data to the server. Transmitted files are generally zipped and encoded with the same custom Base64 encoding used earlier.

“It is interesting to see something atypical, like C&C communication via FTP,” Horejsi said. “While the malware authors probably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized this would make it very easy to monitor their actions and victims’ data.”

“IT administrators should be aware that connections to external FTP servers can signify not just data extraction, but C&C activity as well,” Horejsi said. “Either way, if this kind of network activity is not necessary for business functions, blocking it should be considered.”

Leave a Reply

You must be logged in to post a comment.