SYSCON

In January 2023, the McAfee Advanced Threat Research team discovered a new variant of the SYSCON backdoor malware being used in an operation. This variant appeared in a malicious Word document containing a Visual Basic macro that dropped and executed an upgraded version of the implant. The malware was part of several campaigns using North Korea–related topics and was designed to exploit and damage computers or devices by stealing personal information, disrupting operations, or holding data hostage for ransom. The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL. Based on the analysis, multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor. AutoFocus customers can track these samples with the FracturedStatue, SYSYCON, KONNI, CARROTBAT, and CARROTBALL tags. This discovery highlights the ongoing threat posed by sophisticated malware campaigns designed to infiltrate and disrupt computer systems. To minimize the risk of such attacks, computer users should exercise caution when downloading files, opening email attachments, or visiting suspicious websites and keep their operating systems and security software up to date.