SystemBC malware leads automate payload delivery
SystemBC, a malware firstly spotted back in 2018 and was used in several 2019 campaigns as Virtual private network, now being found to be used by attackers in their RaaS operations to hide malicious traffic and automate ransomware payload deliveries.
The malware helps the malicious authors to deploy persistence backdoor in a form of Tor SOCKS5 proxy and obfuscate the communications channels for automate ransomware payload deliveries.
Sophos researchers, while investigating recent Ryuk and Egregor ransomware attacks, observed that SystemBC has been deployed in the attacks happened last months.
Sean Gallagher, a Sophos security researcher said, “We are increasingly seeing ransomware operators outsource the deployment of ransomware to affiliates using commodity malware and attack tools. SystemBC is a regular part of recent ransomware attackers’ toolkits— Sophos has detected hundreds of attempted SystemBC deployments worldwide over the last few months.”
Ryuk deployed SystemBC via Buer Loader, Bazar Loader or other malicious malware strains, while Egregor preferred Qbot info stealer for the same.
The ransomware operators use the persistence payload as a remote access/ administration tool with Cobalt strike post exploitation tool to access victims’ networks. Also, this malware is used in deployment of the ransomware on the network endpoint after ex-filtration of the stolen data is done.
Also, the malware is used to execute commands on infected Windows device sent over Tor connection and also to deliver malicious scripts, DLLS and scripts that automatically executed without users’ intervention.
Gallagher said, “The use of multiple tools in ransomware-as-a-service attacks creates an ever more diverse attack profile that is harder for IT security teams to predict and deal with. Defense-in-depth, employee education and human-based threat hunting are essential to detecting and blocking such attacks.”
