Cybersecurity researchers have recently analyzed the command-and-control (C2) server of the SystemBC malware [2] [3], a well-known family that can be purchased on underground marketplaces [3] [4] [5]. This analysis exposes payload delivery tricks used by the malware [2], including its ability to serve as a persistent backdoor for threat actors.
Description
SystemBC is a malware that allows hackers to remotely control compromised hosts and deliver additional payloads [4] [5], such as trojans [5], Cobalt Strike [5], and ransomware [1] [5]. It supports the launching of additional modules to expand its functionality [5]. To mask network traffic to and from the C2 infrastructure [3] [4] [5], SystemBC utilizes SOCKS5 proxies [5]. Customers who purchase SystemBC receive an installation package that includes an implant executable [3] [4] [5], C2 server binaries for Windows and Linux [4], and a PHP file for the C2 panel interface [3] [4] [5]. The C2 server opens multiple TCP ports for C2 traffic [3] [4] [5], inter-process communication [5], and each active implant [5]. The PHP-based panel not only displays a list of active implants but also enables the execution of shellcode and arbitrary files on victim machines [3].
In addition to the SystemBC analysis [3], cybersecurity researchers have also discovered a weakness in the custom Base64 alphabet used by the DarkGate remote access trojan (RAT). This weakness makes it easy to decode sensitive files, such as configuration and keylogger files [3], which contain valuable information, including passwords and composed emails [3].
Conclusion
The availability of SystemBC on the dark web highlights the ease with which malicious tools can be acquired and raises questions about the cybersecurity landscape [1]. Its use by ransomware groups is particularly significant [1], as it allows them to launch further attacks and potentially deploy ransomware [1]. Robust security measures and proactive defense strategies are necessary to mitigate the risks associated with this tool [1]. Security practitioners must stay informed [1], collaborate [1], and adapt their security practices to defend against emerging threats in an ever-evolving cybersecurity landscape [1].
References
[1] https://linuxsecurity.com/news/network-security/systembc-tool
[2] https://owasp.or.id/2024/01/25/lodeinfo-fileless-malware-evolves-with-anti-analysis-and-remote-code-tricks/
[3] https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
[4] https://flyytech.com/2024/01/25/systembc-malwares-c2-server-analysis-exposes-payload-delivery-tricks/
[5] https://www.techidee.nl/de-c2-serveranalyse-van-systembc-malware-legt-trucs-voor-het-leveren-van-payloads-bloot/4782/