A notorious cyber threat is expanding its reach across enterprise networks, utilizing SystemBC malware to covertly channel criminal activities. This malware has been associated with some of the most damaging ransomware incidents, according to cybersecurity experts.
Understanding SystemBC Malware
SystemBC acts as a hidden asset for cybercriminals, allowing them to maintain access to compromised systems while directing malicious traffic through unsuspecting hosts. Operating under the alias Coroxy, this Windows-based threat functions as a SOCKS5 proxy, backdoor, and remote access tool.
The malware first emerged around 2018 and 2019, delivered via RIG and Fallout exploit kits. Since then, SystemBC has become a popular tool on underground forums, utilized by numerous criminal entities.
SystemBC’s Role in Ransomware Attacks
Research by Picus reveals that SystemBC operates as a persistent backdoor and proxy, transforming infected machines into conduits for harmful traffic. This capability has linked it to ransomware groups like Ryuk, Egregor, and Conti, highlighting its involvement in recent high-profile breaches.
SystemBC’s ability to blend seamlessly with normal network traffic makes it particularly dangerous. By masking other malware communications, it remains undetected, making it a preferred option for ransomware operators aiming to evade detection.
Technical Evolution and Detection Challenges
Initially using TCP and SOCKS5 protocols, SystemBC has evolved to integrate Tor, complicating detection efforts. The malware embeds Tor directory-authority addresses in its binary and uses encrypted communications to further obscure its activities.
Beyond proxying, SystemBC can execute various scripts and payloads, including EXE files and PowerShell scripts, directly in memory. This reduces traceability and complicates forensic investigations.
SystemBC is typically deployed after initial access is gained through loaders like Buer and QBot. It establishes persistence through scheduled tasks and registry entries, ensuring it survives system reboots.
Defense Strategies Against SystemBC
Security teams are advised to focus on behavior-based detection rather than relying solely on signature scanning. The malware’s in-memory execution and random file names can bypass traditional antivirus solutions.
Monitoring network traffic for unusual Tor or SOCKS5 patterns, along with identifying anomalous scheduled tasks and registry entries, can help detect SystemBC activity.
Implementing threat simulations within your network can also expose vulnerabilities before attackers exploit them.
Indicators of Compromise (IoCs) include specific IP addresses and registry keys associated with SystemBC. These should be monitored using controlled threat intelligence platforms to prevent accidental exposure.
