Sysscan

Sysscan is a trojan that scans the internet for systems and servers that have open and unsecured remote desktop protocol (RDP) ports and uses brute-force methods to acquire access to Windows XP to Windows Server 2012 R2 systems set up for remote connections. It maintains persistence via manual intervention or through automatic configuration and, if installed as an administrator, it will add a hidden administrator account to the accessed system and open all RDP ports. To ensure that the remote desktop protocol (RDP) remains accessible to the attacker, it installs an RDP wrapper library. It has the ability to exfiltrate large quantities of credentials stored in applications and software on local machines. If a local machine has point-of-sale software installed or has been used to log into casino gaming, tax, and financial organization websites, Sysscan will exfiltrate authentication details in order to steal money, credentials, and browser cookie files. Unfortunately, Sysscan does not use malicious kernel calls making it much more difficult for antivirus software to detect.

Reporting

  • October 2016: New Backdoor trojan Spreads through RDP Brute-Force Attacks (Softpedia)

Technical Details

  •  Guardicore provides technical details on the Sysscan trojan, including indicators of compromise, available here.