Threat Research

The Swiss Knife – SystemBC | Coroxy

Securonix

SystemBC, also known as Coroxy or DroxiDat, is a versatile Proxy malware/toolkit active since 2018, used as a backdoor and sometimes a RAT across various threat groups and underground markets. It commonly installs a Socks5 C2 channel after gathering system info and establishing persistence, often deploying alongside loaders or Cobalt Strike. #SystemBC #Coroxy

Keypoints

  • SystemBC is a versatile malware used as a proxy/backdoor/RAT with broad attacker-driven functionality.
  • Attacks typically involve reconnaissance, lateral movement, and deployment with other tools like Cobalt Strike, and can be delivered via spear-phishing or loaders.
  • Core behavior includes system/user information gathering, persistence, and establishing a Socks5 C2 channel to a remote server.
  • Numerous threat groups and ransomware crews have used SystemBC, including ViceSociety, Rhysida, Hive, Conti/Ryuk connections, BlackBasta, Maze Team, and others.
  • Persistence and evasion rely on registry Run keys, scheduled tasks (including random-named tasks), PowerShell usage, and anti-analysis checks (e.g., process checks for a2guard).
  • Underground infrastructure and access to SystemBC-related services can be bought for around $300–$350 with cryptocurrency payments, highlighting its marketplace presence.
  • The malware shows variant diversity (packing, memory extraction, dynamic file paths) but maintains a consistent core capability: backdoor access, data gathering, and C2 communication.

MITRE Techniques

  • [T1059.001] PowerShell – Execution of hidden PowerShell commands to run the payload. Quote: ‘Process powershell.exe > (Command) *-windowstyle hidden -Command* “* > (ChildPath) *ProgramData*|*AppData*.exe”‘
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via Run key in the registry. Quote: ‘HKCUSOFTWAREMicrosoftWindowsCurrentVersionRUN > (ValueName) socks5 > (ValueData) powershell*-windowstyle hidden*-Command*’
  • [T1053.005] Scheduled Task – Persistence using start value. Quote: ‘Taskeng.exe > (Path) *ProgramData* | *AppData* > (Command) *ProgramData*|*AppData*<Randname>.exe start{Number}|start’
  • [T1053.005] Scheduled Task – Persistence creating tasks with random name. Quote: ‘File) <RandName>.job > (Path) *WindowsTasks<RandName>.job’
  • [T1070.004] Indicator Removal on Host: File Deletion – Auto-delete function to evade file detection. Quote: ‘cmd.exe /C ping {IP} -n {Number} -w {Number} > Null & Del’
  • [T1090] Proxy – Connection outside through a file in a temporary path. Quote: ‘Path) *ProgramData* | *AppData* > (NetConnection) Public IP {Non common country|Direction}’
  • [T1082] System Information Discovery – Gathers system and user information. Quote: ‘gathers information about the system, while also deobfuscating and decrypting network data’
  • [T1057] Process Discovery – Anti-analysis process enumeration (detects a2guard). Quote: ‘takes a snapshot of all processes and iterates through them’
  • [T1027] Obfuscated/Compressed Files and Information – Deobfuscation and domain decryption (used later as a mutex). Quote: ‘deobfuscate (typically using XOR) a domain, which it will later use as a Mutex’

Indicators of Compromise

  • [Hash] context – c96f8d4d1ee675c3cd1b1cf2670bb9bc2379a6b66f3029b2ffcfdd67c612c499, 6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871, and 2 more hashes
  • [Domain] context – payload.su, mxstat215dm.xyz, and 2 more domains
  • [IP] context – 91.191.209.110, 5.42.65.67, and 2 more IPs

Read more: https://rexorvc0.com/2023/11/12/Swiss-Knife-SystemBC-Coroxy/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint