Threat Research

SystemBC Being Used by Various Attackers – ASEC BLOG

Securonix

SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, including attacks linked to Ryuk, Egregor, and Colonial Pipeline, by enabling attackers to move laterally and install more malware after initial access. #SystemBC #SmokeLoader #Emotet #ColonialPipeline #DarkSide #Ryuk #Egregor #CobaltStrike

Keypoints

  • SystemBC acts as a Proxy Bot to relay traffic and obscure attacker origin, potentially enabling attacks from internal networks.
  • It can download and execute additional payloads (exe, DLL, Shellcode, scripts) from C2 servers, functioning as a downloader as well as a proxy.
  • Attack campaigns have used SystemBC in conjunction with Emotet, SmokeLoader, Cobalt Strike, and ransomware families to broaden access and persistence.
  • Persistence is achieved via a scheduled task that runs SystemBC on a set cadence and can re-register itself under a random name.
  • Communication with C2 servers uses RC4/XOR encryption, and supports both raw TCP and HTTP-based channels, including Tor where configured.
  • A variety of payload delivery formats (exe, .vbs, .bat/.cmd, .ps1, DLL, and shellcode) are supported, with in-memory execution for DLLs and shellcode.
  • Tor integration and DNS/.bit resolution methods are used to reach C2 endpoints when direct access is restricted.

MITRE Techniques

  • [T1090] Proxy – The malware acts as a Proxy Bot to forward traffic and hide attacker IP. “If the attacker wants to use an infected system as Proxy Bot (using SystemBC of the infected system when accessing a certain address), a command to create proxies will be sent first.”
  • [T1053.005] Scheduled Task – It registers as a Windows scheduled task and runs on a cadence. “The task starts 2 minutes after the current time and is run every 2 minutes. The target that is executed is SystemBC, and designates “start” as an argument.”
  • [T1105] Ingress Tool Transfer – It downloads additional payloads from the C2 server (exe, VBS, Batch, PowerShell, DLL, Shellcode) and can download updates. “SystemBC can download payloads in exe form from the C&C server and run them.”
  • [T1095] Non-Application Layer Protocol – It communicates with C2 using Raw TCP sockets, including encrypted data exchange. “The malware decrypts the C&C server address and port number before communicating with the C&C server. The malware uses the Raw TCP socket to communicate with the C&C server.”
  • [T1071.001] Application Layer Protocol – It also uses HTTP to download payloads and send responses. “GET %s HTTP/1.0 Host: %s User-Agent: Mozilla/5.0 …”
  • [T1021] Remote Services – Lateral movement using PsExec and scripts downloaded from C2 for internal propagation. “the malware was used for downloading and running PsExec and scripts for lateral movement attacks.”
  • [T1027] Obfuscated/Compressed Data – It encrypts data with RC4/XOR for C2 configuration and credentials. “The data shown below has a size of 0x64 byte. It first uses the 0x32 byte-sized RC4 key to RC4-encrypt the 0x32 byte in the back.”
  • [T1055] Process Injection (DLL) – It can load DLLs into memory and execute their functions, sometimes conditioned on URL features. “Load DLL in the memory. Run the function of DLL if the URL has # at the back.”
  • [T1055.012] Shellcode – It can also execute shellcode in memory as part of payload execution. “Shellcode form to execute them in the memory.”

Indicators of Compromise

  • [Hash] MD5 – beb92b763b426ad60e8fdf87ec156d50, 8e3a80163ebba090c69ecdeec8860c8b, 28c2680f129eac906328f1af39995787, ae3f6af06a02781e995650761b3a82c6
  • [C2 URL] db1.pushsecs[.]info:40690, db2.pushsecs[.]info:40690
  • [C2 URL] 31.44.185[.]6:4001, 31.44.185[.]11:4001
  • [C2 URL (Tor)] dfhg72lymw7s3d7b[.]onion:4044
  • [C2 URL] admex175x[.]xyz:4044, servx278x[.]xyz:4044
  • [Tor/I2P/Onion] Tor-based C2 URL (example) – dfhg72lymw7s3d7b[.]onion:4044
  • [IP/DNS] 193.23.244[.]244:80, 86.59.21[.]38:80 (examples of IPs used to reach Tor/public C2)
  • [DNS] 5.132.191[.]104, ns1.vic.au.dns.opennic[.]glue, ns2.vic.au.dns.opennic[.]glue
  • [URL] hxxp://michaelstefensson[.]com/supd/s.exe, hxxp://5.61.33[.]200/henos.exe
  • [Proc/Process] a2guard.exe (Emisoft product) presence checked by SystemBC

Read more: https://asec.ahnlab.com/en/33600/