Backdoor Uses FTP Server as C&C

A newly detailed backdoor is using an FTP server for command and control (C&C) purposes, Trend Micro security researchers warn.
Dubbed SYSCON, the malware is being distributed through malicious documents containing macros. All of these documents mention North Korea and appear to be targeted at individuals connected to the Red Cross and the World Health Organization.
有些系统的黑客竟是熟人,熟人更了解安全弱点,同时心存不满的熟人往往也是最严重的安全威胁,保密协议和权限管理要加强。

The use of an FTP server for C&C is rather unusual for a botnet, thus possibly slipping unnoticed by administrators and researchers. While this is a clear advantage, the fact that it leaves traffic open for monitoring is a great downside.
Trend Micro also discovered that SYSCON’s authors made a coding mistake that resulted in the backdoor sometimes executing the wrong commands.
The documents carrying the malware feature two long strings, with Base64 encoding using a custom alphabet, a technique used to deliver the Sanny malware family in late 2012. Sanny too leveraged relatively unusual techniques for C&C, had a similar structure, and used an identical encoding key, which could suggest that the same threat actor is behind the new backdoor.
The Base64 strings are cabinet files containing the 32-bit and 64-bit versions of the malware, with the appropriate one (based on OS) being extracted into the %Temp% folder, after which one of the files in the cabinet (uacme.exe) is executed.
The executed file determines the operating system version and either directly executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.
The BAT file was designed to inject the main malware module and the configuration file into %Windows%\System32, and to achieve persistence. For that, it configures a new COMSysApp service, adds the service parameters into the registry, and starts the service. It also deletes all previously created files in the %Temp% directory.
After execution, the malware gets the computer name and uses it as an identifier, then logs into the FTP server using credentials stored in the configuration file. The attackers use the byethost free FTP service provider, the researchers discovered.
On the FTP server, commands are stored in .txt files, either meant to be processed by all bots or by specific victim computers. After processing a command, the backdoor lists all currently running processes, then sends the data to the server. Transmitted files are generally zipped and encoded with the same custom Base64 encoding used earlier.
Supported commands include: copy file to temp.ini, pack it to temp.zip, encode and upload; pack file to temp.zip, encode and upload; delete config file, write string to the new config file; put file to the given path on infected system; execute command but don’t report back; and execute downloaded file, among others.
位置定位服务LBS泄漏私密信息
The command processing loop contains what appears to be a typo or mistake, the researchers say. They explain that, while the malware treats the commands as strings in wide character format, a parameter in one of the functions has an incorrect file name, thus preventing the process from executing.
“It is interesting to see something atypical, like C&C communication via FTP. While the malware authors probably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized this would make it very easy to monitor their actions and victims’ data,” Trend Micro concludes.
Related: Chrome to Label FTP Resources as “Not Secure”
Related: New Windows Backdoor Linked to SambaCry Linux Malware
Related: Backdoor Uses FFmpeg Application to Spy on Victims
需要对培训的结果进行考核或者验证,逐步开展,坚持不懈,才能取得阶段性的成果。现在很多组织试图通过几次培训就达到安全意识的普遍提高,这是不切实际的。好入手的未必就有好效果,好效果的却不容易入手,这是现实的矛盾。

猜您喜欢

我要我的专用方案,信息安全——价值、目标、战略与流程
信息安全意识超短动漫
Cyber Security Law 网络安全法宣传视频系列001
全球35名侏儒儿童相见欢
JENNTALENT CAREERINFOODS
信息安全意识教育案例之商业黑客参与搜索引擎专利大战