Ransomware operators are deliberately using SystemBC RAT to maintain the longevity of compromised computers. Malware has been for sale in underground forums since 2019. Recently, the use of Tor has grown to encrypt command and control traffic.
What happened?
Previously, SystemBC malware was operating as a VPN using a SOCKS5 proxy in the backdoor. Now, however, it has emerged as an off-the-shelf tool.
- It is capable of executing Windows instructions, implementing malicious DLLs, deploying files, remote management, and control, and setting up backdoors for operators to receive commands.
- Over time, it has developed into a complex loophole that leverages the privacy of the TOR network to conceal its contact with its C2 servers.
- Recently, the malware has been deployed as an off-the-shelf platform that could be accessible by malware-as-a-service deals. In certain cases, it has been present on damaged computers for days or weeks.
Recent threats
SystemBC has recently been used by a range of ransomware users, including Ryuk and Egregor, along with post-exploitation techniques such as Cobalt Hit.
- Several weeks earlier, Egregor ransomware operators were detected using SystemBC to construct an obfuscated backchannel for data exfiltration and attack communications.
- Ryuk ransomware operators have also been observed using SystemBC during attacks to maintain durability.
Bottom line
Off-the-shelf solutions are preferred by ransomware operators because they deliver many features for persistence. Experts, therefore, recommend that they use a secure anti-malware approach to spot malware, take a good backup of critical data, and offer instruction to workers to monitor phishing or spam emails.
