Recent cybersecurity investigations have unveiled significant insights into the functioning of a notorious malware family known as SystemBC. This malware operates through a command-and-control (C2) server setup that has been analyzed by researchers at Kroll, revealing its availability for purchase on various underground marketplaces.
Kroll’s analysis indicates that purchasers receive a comprehensive installation package containing the implant executable, both Windows and Linux binaries for the C2 server, and a PHP-based web administration portal. Additionally, the package includes detailed installation instructions in English and Russian. The surge in malware activity noted by Kroll in Q2 and Q3 of 2023 highlights the evolving threat landscape for cybersecurity.
Initially detected in 2018, SystemBC empowers adversaries to gain remote control over compromised systems, allowing for the deployment of additional malicious payloads such as trojans, Cobalt Strike, and ransomware. A notable feature of SystemBC is its capability to dynamically launch supplementary modules, enhancing its primary functionalities.
The malware’s design intricately incorporates SOCKS5 proxies, which serve to obfuscate network traffic associated with the C2 infrastructure. This mechanism provides threat actors with persistent access to compromised systems post-exploitation. In terms of technical specifics, the C2 server executables—designated “server.exe” for Windows and “server.out” for Linux—open multiple TCP ports to facilitate communication, manage inter-process communication, and handle active implants, commonly referred to as bots.
To further enhance its covert operations, the server incorporates additional files that document interactions between the implant, acting as both proxy and loader, and stores critical information about targeted victims. The PHP-based panel interface, while minimalistic, effectively lists active implants and serves as a platform to execute shellcode and arbitrary files on infected machines.
The shellcode feature is particularly alarming as it allows for more discreet remote access compared to traditional reverse shell methods. This capability emphasizes the heightened risk faced by organizations that may become targets of this advanced malware.
In a related development, Kroll has also examined a newly updated variant of DarkGate, a remote access trojan (RAT) identified as version 5.2.3. This version demonstrates sophisticated techniques enabling attackers to completely compromise system security, extract sensitive data, and disseminate additional malware.
Security researcher Sean Straw noted the implementation of a custom Base64 alphabet within DarkGate, which complicates decoding efforts but has a related exploitable weakness. Kroll’s examination revealed that this vulnerability permits forensic analysts to effectively decode configurations and keylogging outputs stored within the compromised system, highlighting the significant risks associated with this malware.
As organizations strive to fortify their cybersecurity defenses, understanding the tactics and techniques showcased by threats like SystemBC is crucial. Analyzing these incidents through frameworks such as the MITRE ATT&CK Matrix can provide critical context. Possible MITRE tactics potentially employed in these attacks include initial access, persistence, and privilege escalation, offering insight into how adversaries exploit vulnerabilities at various stages of breach execution.
