Trusted Design

SYSCON Backdoor Uses FTP as a C&C Channel

概要

Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server. Using an FTP server has some advantages. It is less common, and this fact may allow it to slip unnoticed by administrators and researchers. However, this also leaves the C&C traffic open for monitoring by others, including security researchers. In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.

Created: 2026-02-23

Indicators

• FileHash-SHA256 - 9be95f5954202d7b159c5db928851102f23eae88c087892663781cf8edc0753a -
• FileHash-SHA256 - 34e968c067f6a360cc41a48b268c32a68421567f0329d4f9f8e2850fb4e27c8c -
• FileHash-SHA256 - 3319a156c84e85a4447fa40b0f09aabb84092b5c3a152ad641ee5692741b9194 -
• FileHash-SHA256 - b7c970f1f65850fa859549f2cf3c2284b80ec464496b34f09bc53c4456e10d1f -
• FileHash-SHA256 - f4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e -
• FileHash-SHA256 - d495295466428a52263c8725070a9cf7c2446c6115bddc2de662949afd39f9a9 -
• FileHash-SHA256 - 1f9afb142827773cefdb29f06ed90e0476c0185d4c8b337439b3be27e61ed982 -
• FileHash-SHA256 - 65e4212507bb52e72e728559df5ad38a4d3673b28104be4b033e42b1c8a264e8 -
• FileHash-SHA256 - 2d261eb478bafaabd7dc12752b1c0aadba491d045573fe2e24cdac5588e2c96b -
• FileHash-SHA256 - f01e440764b75b72cab8324ba754d89d50d819a1b2db82ca266f1c307541a2b0 -
• FileHash-SHA256 - 2c958cd3838fcae410785acb0acf5a542d281524b7820d719bb22ad7d9fcdc7c -
• FileHash-SHA256 - a07251485a34dd128d80860737b86edd3eb851f57797f2f8fb6891a3cb7a81b3 -
• FileHash-SHA256 - 9b62a013b579f01e3c4c3caf3c9bc02eb338ce9859496e02016ba24b8908d59a -
• FileHash-SHA256 - 2f6df307dbe54b8a62a35ea2941a7d033bfdfbb545a7872cb483aea77ec6a10b -
• FileHash-SHA256 - 3fcda66e87eec4f90b50f360460fa46448249e6e177de7ff8f35848353acfaaa -
• FileHash-SHA256 - cff8d961f3287f9ca75b65303075343bdbe63bb171d8f5b010bbf4fa30450fc4 -
• FileHash-SHA256 - bec437d1979d16505ca8fc896fa8ce9794f655abd39145a82330343b59c142c5 -
• FileHash-SHA256 - e4226645bad95f20df55ef32193d72c9dafcf060c3360fd4e50b5c08a986a353 -
• FileHash-SHA256 - 7daec65f8fee86227d9f9c81ed00d07c46b44e37968bd2894dc74bf311c63651 -
• FileHash-SHA256 - 63ca182abb276e28aec60b9ef1eab5afc10bfb5df43f10a11438d8c0f7550c5c -
• FileHash-SHA256 - 25c08d5e77fada975f31a0e0807b7ea1064aae80f5de43790f6ada16159ae1c2 -
• FileHash-SHA256 - cfb2161b5aebf0c674c845e2428e24373edd4c74a2fb15de527d6763a62dd74e -
• FileHash-SHA256 - 65380ab72bb6aa6ffcd2ea781fe2fa4f863a1b4a61073da7da382210c163b0f9 -

類似Pulses

• TrendLabs Security Intelligence BlogSYSCON Backdoor Uses FTP as a CC Channel - TrendLabs Security Intelligence Blog (score: 0.88)
• Perl.Shellbot Botnet C&C Server and Payload (score: 0.58)
• Symratek.A - A .NET Backdoor (score: 0.58)
• 2016-09-19 Botnet C&C Servers (score: 0.56)
• Cisco firewalls IRC botnet C&C 8/29/2016 (score: 0.54)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る