The SystemBC malware, a notorious threat since 2019, has expanded into an extensive botnet infrastructure, now controlling over 10,000 devices worldwide. This malware primarily operates as a SOCKS5 proxy and backdoor, allowing cybercriminals to conceal their malicious traffic and maintain access to compromised networks over extended periods.
SystemBC’s Evolving Architecture
By transforming infected devices into communication relays, SystemBC enables attackers to route command-and-control traffic through victim machines. This technique obscures their true locations, making it challenging for defenders to trace and attribute attacks accurately. Despite efforts by law enforcement, such as Europol’s Operation Endgame in May 2024, the botnet remains resilient, adapting its tactics by targeting hosting providers instead of residential networks.
This strategic shift has resulted in longer infection durations, with systems remaining compromised for an average of 38 days, and some cases extending over 100 days. The botnet is a precursor to ransomware attacks, facilitating data theft and further exploitation by tunneling traffic.
Global Impact and Targeted Regions
Research by Silent Push analysts highlights the resurgence of SystemBC, with sophisticated tracking of infected IP addresses worldwide. The United States emerges as the primary target, with over 4,300 compromised devices. Other significant concentrations are identified in Germany, France, and Singapore. Notably, sensitive government environments in Vietnam and Burkina Faso have also experienced breaches, with high-density servers hosting official websites being compromised.
These compromised assets are often exploited to launch additional attacks or support other criminal activities, raising concerns about cybersecurity defenses in critical infrastructures.
Undetected Perl Variant and Security Implications
A critical discovery in this campaign involves a previously undocumented SystemBC variant written in Perl, designed to evade traditional security controls. This variant, initially undetected by major antivirus engines, is typically deployed by ELF binary droppers known as “SafeObject” and “StringHash.” These droppers utilize UPX packing to obscure their malicious code, complicating static analysis.
Upon execution, the droppers search for writable directories on the host system and deploy hundreds of embedded payloads. The dropper code is notably “noisy” and contains Russian-language strings, potentially indicating the threat actor’s origins. Given SystemBC’s role in early intrusion stages, security teams are advised to monitor these indicators proactively to prevent escalation to ransomware attacks.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Set CSN as your preferred source in Google for instant updates.
