Sep 19, 2025Ravie LakshmananBotnet / Community Safety
A proxy community often called REM Proxy is powered by malware often called SystemBC, providing about 80% of the botnet to its customers, in response to new findings from the Black Lotus Labs staff at Lumen Applied sciences.
“REM Proxy is a sizeable community, which additionally markets a pool of 20,000 Mikrotik routers and quite a lot of open proxies it finds freely out there on-line,” the corporate mentioned in a report shared with The Hacker Information. “This service has been a favourite for a number of actors reminiscent of these behind TransferLoader, which has ties to the Morpheus ransomware group.”
SystemBC is a C-based malware that turns contaminated computer systems into SOCKS5 proxies, permitting contaminated hosts to speak with a command-and-control (C2) server and obtain further payloads. First documented by Proofpoint in 2019, it is able to focusing on each Home windows and Linux programs.
In a report earlier this January, ANY.RUN revealed that the Linux variant of SystemBC proxy implant is doubtlessly designed for inner company companies, and that it is primarily used to focus on company networks, cloud servers, and IoT units.
As is usually the case with any proxy answer, customers of the community attain out to SystemBC C2s on high-numbered ports, which then route the person by to one of many victims earlier than reaching their vacation spot.
Based on Lumen, the SystemBC botnet includes over 80 C2 servers and a every day common of 1,500 victims, of which practically 80% are compromised digital personal server (VPS) programs from a number of giant business suppliers. Apparently, 300 of these victims are a part of one other botnet referred to as GoBruteforcer (aka GoBrut).
Of those, near 40% of the compromises have “extraordinarily lengthy common” an infection lifespans, lasting over 31 days. To make issues worse, the overwhelming majority of the victimized servers have been discovered to be vulnerable to a number of recognized safety flaws. Every sufferer has 20 unpatched CVEs and at the least one crucial CVE on common, with one of many recognized VPS servers within the U.S. metropolis of Atlanta susceptible to greater than 160 unpatched CVEs.
“The victims are made into proxies that allow excessive volumes of malicious site visitors to be used by a bunch of legal risk teams,” the corporate famous. “By manipulating VPS programs as an alternative of units in residential IP area, as is typical in malware-based proxy networks, SystemBC can provide proxies with huge quantities of quantity for longer durations of time.”
Moreover REM Proxy, a few of the different prospects of the SystemBC embody at the least two completely different Russia-based proxy companies, one Vietnamese proxy service referred to as VN5Socks (aka Shopsocks5), and a Russian internet scraping service.
Essential to the functioning of the malware is the IP deal with 104.250.164[.]214, which not solely hosts the artifacts but additionally seems to be the supply of assaults to recruit potential victims. As soon as new victims are ensnared, a shell script is dropped on the machine to subsequently ship the malware.
The botnet operates with little regard for stealth, with the first aim being to develop in quantity to enlist as many units as attainable into the botnet. One of many largest use circumstances of the illicit community is by the risk actors behind SystemBC themselves, who use it to brute-force WordPress web site credentials.
The top aim is more likely to promote the harvested credentials to different legal actors in underground boards, who then weaponize them to inject malicious code into the websites in query for follow-on campaigns.
“SystemBC has exhibited sustained exercise and operational resilience throughout a number of years, establishing itself as a persistent vector inside the cyber risk panorama,” Lumen mentioned. “Initially utilized by risk actors to allow ransomware campaigns, the platform has developed to supply the meeting and sale of bespoke botnets.”
“Their mannequin presents appreciable benefits: it allows the execution of widespread reconnaissance, spam dissemination, and associated actions, permitting an attacker to order extra selective proxy assets for focused assaults knowledgeable by prior intelligence gathering.”
