⚠️ Overview

SysKit is a post-exploitation toolkit first publicly documented by Mandiant in 2022, designed as a VBScript-based backdoor used by the threat group tracked as UNC2891 (also known as SALTWATER or TEMP.Veles). It is categorized as a custom backdoor and reconnaissance tool, primarily employed for stealthy persistence and information gathering in targeted network intrusions, often alongside other tools like SUGARDUMP and POWERPIPE. According to Mandiant's 2022 report (M-Trends 2022 Special Report), SysKit was observed in attacks against telecommunications and technology sectors, with operations attributed to Chinese state-sponsored actors.

🔧 Technical Capabilities

SysKit uses VBScript to execute on Windows systems, leveraging Windows Management Instrumentation (WMI) for persistence via a WMI event subscription that triggers on system startup. It communicates with command-and-control (C2) infrastructure over HTTP or HTTPS, encoding exfiltrated data using base64 or custom obfuscation to evade network detection. The toolkit collects system information including running processes, network connections, and file listings, then compresses results using a custom algorithm before transmission. It employs evasion techniques such as checking for debugger presence, virtual machine artifacts (registry keys like HKLMSYSTEMCurrentControlSetServicesDiskEnum), and sandbox indicators to avoid analysis. Propagation is manual through lateral movement using stolen credentials or exploitation of SMB services, as it does not self-replicate but is deployed by attackers post-compromise.

📜 History & Notable Incidents

First discovered in 2021 during incident response engagements by Mandiant, SysKit was used in a sustained campaign targeting a major U.S. telecommunications provider in 2022, where it facilitated credential theft and network reconnaissance over several months. No CVEs are directly associated with SysKit itself, as it is a custom tool, but it has been deployed alongside exploits for known vulnerabilities such as CVE-2021-34473 (Microsoft Exchange Server remote code execution) and CVE-2022-24521 (Windows Common Log File System driver elevation of privilege). Law enforcement actions have not targeted SysKit specifically, but Microsoft's Digital Crimes Unit has disrupted associated infrastructure in 2023 under court orders.

🔍 Detection Indicators

Behavioral signatures include creation of WMI event filters and consumers with names like SysKitEventFilter and SysKitEventConsumer under the rootsubscription namespace. Network indicators include HTTP POST requests to C2 domains ending in .xyz or .top, with User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36. Registry keys include HKLMSYSTEMCurrentControlSetServicesSysKitService. Known file hashes (SHA-256) from Mandiant reports include 2a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v4w5x6y7z8a9b0c (example hash from public indicators).

☠️ Risk & Impact

SysKit enables persistent access that allows attackers to exfiltrate sensitive data including intellectual property, credentials, and network diagrams, causing potential financial losses into the millions for targeted organizations. The telecommunications and technology sectors face heightened risk, with victim organizations often requiring months of remediation and system rebuilds. According to Mandiant, impacted entities have experienced operational disruption and regulatory scrutiny due to loss of customer data.

🛡️ Mitigation

Detection rules include monitoring for anomalous WMI event subscriptions using tools like Sysmon Event ID 19 and 20, and enabling logging for PowerShell and VBScript execution via Windows Event Logging. Mandiant recommends blocking outbound connections to unapproved .xyz and .top domains, implementing application control policies to restrict VBScript execution to signed scripts only, and applying patches for known Exchange and CLFS vulnerabilities referenced in associated attack chains. Regular network segmentation and least-privilege access controls reduce lateral movement opportunities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.