SystemBC

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

Type
RAT
Origin
First seen
1 August, 2019
Last seen
31 March, 2023
Also known as
Coroxy
Socks5 backconnect system
Global rank
49
Week rank
29
Month rank
31
IOCs
299

What is SystemBC malware

SystemBC is a Remote Access Trojan (RAT), discovered by ProofPoint in 2019. As soon as it got on the radar of security specialists, they began to notice its use in a number of parallel ransomware campaigns, which is typical for malware sold on underground forums. And the hypothesis was quickly validated: researchers found an ad promoting a malware called “socks5 backconnect system,” which matched the functionality of SystemBC almost to a tee.

Purchasers would receive an archive containing the bot executable, the C2 server executable, and a basic admin panel written in PHP.

This malware’s main function at the time was concealing the communication with the Command and Control server. Once the RAT made its way into the victim's system, it began the execution process by creating a hidden and encrypted communication channel with the attacker's C2 server. This communication channel then allowed the attacker to remotely control the infected machine and perform a variety of actions: uploading and downloading files, executing commands, and disabling security software.

Originally, the malware would establish a connection using SOCKS5 proxies, but in later iterations that was changed to the Tor network. Afterwards, attackers replaced the TOR network with hard-coded addresses over IPV4 TCP, using non-standard ports.

Its ability to hide malicious traffic has made this RAT extremely popular among ransomware gangs. Among other things, SystemBC was used in the DarkSide attack on the American Colonial Pipeline. It also featured in countless Ransomware-as-a-Service (RaaS) attacks, including those with Ryuk and Egregor.

Over the lifetime of this malware, its creators have released a multitude of versions into the wild, gradually improving the RAT’s capabilities and expanding its use cases. And the evolution of this threat shows no signs of slowing down, with new and modified versions appearing constantly.

To make life easier, researchers broadly divide versions into two categories:

Type one combines malware which is able to update itself, but nothing more. These are the earlier variants of the program, which mostly date back to 2019 and 2020. They can perform the following actions:

  • Self-update
  • Proxy traffic, typically using SOCKS5 proxies

Type two includes later iterations of SystemBC. And there really are a lot of them — some are functionally quite different from the others. On top of the capability of the first type, they can also:

  • Proxy traffic through the TOR network and IPV4 TCP ports
  • Load and execute Batch and VBS scripts
  • Execute Windows commands
  • Install malware in the form of a DLL to run in memory

And in 2022, researchers also discovered a PowerShell SystemBC variant.

How to get more information from SystemBC malware

Track SystemBC’s execution process in the process graph in ANY.RUN interactive online sandbox.

The process graph of SystemBC malware Figure 1: The process graph of SystemBC malware

In ANY.RUN, users can access detailed malware configuration data in about 10 seconds after launching the sandbox, without having to wait for the emulation to end running. Check this SystemBC sample for analysis.

SystemBC execution process

Execution process of SystemBC depends on the version of it, but always pretty straightforward. In general, after infection, it connects to C2 for further commands. Latest versions may download files or make proxies from infected PC. In our case main executable file use Scheduled Task/Job: Scheduled Task (T1053.005) technique to run itself with generated name. Config of this malware is short and only have one or a couple of IP addresses or domain to which it will try to connect. Malware also encrypts its traffic.

The network stream of SystemBC malware Figure 2: The network stream of SystemBC malware

Distribution of SystemBC

SystemBC was originally distributed using RIG and Fallout exploit kits. But now it’s typically dropped by other malware strains, which in turn make their way into machines as malicious attachments in spam email campaigns, or when users download pirated software.

Here are a few malware families that were spotted spreading this RAT:

Interestingly, while these malicious programs can drop SystemBC on machines they infect, sometimes that behavior is inverted. For example, SystemBC sometimes infects compromised machines with CobaltStrike.

Conclusion

SystemBC is a peculiar malware and its use cases are almost as varied as its variants. It is frequently found in powerful ransomware attacks, is used to gain a foothold in networks in conjunction with CobaltStrike, and can drop a range of post-exploitation tools.

This is one to keep an eye on. If the sheer number of SystemBC versions means anything, it is that the developers will keep advancing its capabilities, making it more and more dangerous. And the possible connection with hard-hitting ransomware gangs means that we will likely see it again used in sophisticated, targeted attacks.

IOCs

IP addresses
194.33.45.6
156.96.62.54
45.227.255.167
23.137.249.215
69.46.15.147
195.2.93.22
95.161.131.6
185.215.113.105
45.66.248.209
104.217.8.100
45.227.255.167
45.11.57.142
186.2.171.65
143.244.175.124
88.80.188.245
107.155.124.13
62.113.114.61
194.195.121.133
209.250.253.70
108.62.12.183
Hashes
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
9f68f42e1d73a2c01282f85f4fd2dc88efa3ea5c3b86e19a134ccbbcc7afb536
8d3b3d32caff7db0c467bf2be7c572e67d667527aa9f3974e0d436bdf086b5d9
4c493f7dc51a50bbe139993cdb1267dd1f7a33020df9075ecd7d28fdce9ec63f
a809d7c791aa2a091554cae7ec1ef8321a2a818c134ec81fb2b53ca2cff7aa34
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436
4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
9c282a47a18477af505e64b45c3609f21f13fe1f6ff289065497a1ec00f5d332
02606e09c7b25fe4e4e3285aef59456bcf72b5f0b242ccfdcbdf2340824fadc8
ab7ead47bbc8ad6644a9f7da7d28014d8ad5aa13c1fd5376aaa387d47fb0bade
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
0153ef4516031695b2ac185e46ac31c80eaaf19e130460af70939bea5d50ce86
cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
853e856969c53d159ac3c36ef58bf39c92b4fe4d7d27a62d04e3d39e7e8d4608
e6a014e15fe4e4c4a58e1e6d6fe607916135b6377d5f9382ceac482d5b208fc6
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
eeb8217497335d34e46a7f419186c3669321bf5336697dab1432d00d137f62b1
Domains
frederikkempe.com
majul.com
isns.net
bestcdnforbusiness.com
hgfiudtyukjnio.com
onionnkfuzyzbu2.xyz
db2.pushsecs.info
dfhg72lymw7s3d7b.onion
adobeupd.host
kvarttet.com
jjj2.rop.dev
3q5d4sgdxdxkkzhl.onion
fmk7kux2dsxowkks.onion
tik-tak.club
tvtmhltd.org
cheakendinner.xyz
t6xhk2j3iychxc2n.onion
arhi-lab.com
r55q2zj8sb89b33k.bit
tbueguicsrwo64i7.onion

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy