Malware authors behind a commodity malware called SystemBC have added new features to their backdoor that allowed to turn it into a Tor proxy and remote control tool. The new version of the malware has been observed in recent ransomware attacks, involving the Ryuk and Egregor ransomware, where SystemBC has been used together with other post-exploitation tools such as Cobalt Strike.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network, according to a new report from Sophos.
SystemBC, which first appeared in the threat landscape in 2019, is a proxy and remote administrative tool, able to execute Windows commands, deliver and execute scripts, as well as malicious executables and dynamic link libraries (DLLs). Usually, SystemBC is delivered on target systems via other malware, providing attackers with a persistent backdoor.
Once dropped and executed, SystemBC checks if it was executed as a scheduled service. If not, it copies itself to a randomly-named directory and file name within the ProgramData directory, and then schedules that copy as a task (launched with the “start” command) to achieve persistence.
SystemBC RAT communicates with its C&C server via Tor connection.
“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn’t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions,” the researchers explained.
Upon execution, the bot collects various system-related data, such as the active Windows user name, the Windows build number for the infected system, whether the OS on the infected system is 32-bit or 64-bit, the volume serial number and sends this info to the command and control server, which sends a number of payloads back to the infected system.
“SystemBC can parse and execute EXE or DLL data blobs passed over the Tor connection, shell code, VBS scripts, Windows commands and batch scripts, and PowerShell scripts,” according to the report.
In the Ryuk ransomware attack observed by Sophos in September, the SystemBC malware was deployed on the target network’s domain controller likely using CobaltStrike. Two months later, in November, SystemBC was spotted in the Egregor ramsomware attack again associated with Cobalt Strike, though the researchers are not sure which dropped which.
“All of these attacks appear to have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers. They involved days or weeks of time on the targets’ networks and data exfiltration. SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials,” Sophos concluded.