SYSCON

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
In January 2023, the McAfee Advanced Threat Research team discovered a new variant of the SYSCON backdoor malware being used in an operation. This variant appeared in a malicious Word document containing a Visual Basic macro that dropped and executed an upgraded version of the implant. The malware was part of several campaigns using North Korea–related topics and was designed to exploit and damage computers or devices by stealing personal information, disrupting operations, or holding data hostage for ransom. The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL. Based on the analysis, multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor. AutoFocus customers can track these samples with the FracturedStatue, SYSYCON, KONNI, CARROTBAT, and CARROTBALL tags. This discovery highlights the ongoing threat posed by sophisticated malware campaigns designed to infiltrate and disrupt computer systems. To minimize the risk of such attacks, computer users should exercise caution when downloading files, opening email attachments, or visiting suspicious websites and keep their operating systems and security software up to date.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CARROTBAT
1
Carrotbat is a malicious software, or malware, first discovered in December 2017 during an attack. The discovery was made by Unit 42, which dubbed the malware family "Carrotbat". It was found to be related to another attack on a British government agency due to overlaps within the attack infrastruct
KONNI
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
CARROTBALL
Backdoor
Implant
Malware
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OceanSaltUnspecified
1
None
FracturedstatueUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SYSCON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups | McAfee Blog
MITRE
a year ago
The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks
MITRE
a year ago
The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia