The SystemBC, a malware sold in underground markets, is used by ransomware-as-a-service (RaaS) businesses for hide malicious traffic and to automate the delivery of ransomware payload in victims' networks.
SystemBC was first identified in 2018 and used in several 2019 campaigns as “virtual private network“. The malware allowed ransomware gangs and their affiliates to develop one persistent backdoor at systems of victims in the form of a Tor SOCKS5 proxy.
This helped them create obfuscated communication channels for automated ransomware payload delivery and export data.
SystemBC is used by Ryuk and the Egregor gang
Sophos researchers observed that SystemBC malware had developed into all the Ryuk and Egregor ransomware attacks in recent months.
"SystemBC is part of the ransomware gang toolkits. Sophos has identified hundreds of attempts to develop SystemBC in recent months".
Researchers have discovered that the Ryuk ransomware gang develops SystemBC in the domain controller along with others malware, like the Buer Loader, BazarLoader and Zloader, while Egregor operators use Qbot information stealer.
Automatic ransomware payload development
Ransomware operators use this backdoor as a remote management tool (RAT) with the Cobalt Strike post-exploitation tool, after gaining access to victims' networks.
SystemBC also automates various tasks, such as ransomware development in the target networks, having first stolen and removed information.
Finally, the intruders use it for executing commands on infected devices Windows, as well as for the delivery of malicious scripts, dynamic link libraries (DLLs) and scripts that run automatically without the intervention of operators.
These malware capabilities allow ransomware operators to perform attacks targeting multiple victims at a time.
Although some Windows anti-malware tools detect and block SystemBC malware development efforts, ransomware gangs can still install it on their target networks. using legitimate credentials stolen in the early stages of the attacks.
"Using multiple tools in ransomware-as-a-service attacks creates an increasingly different attack profile that makes it difficult for teams to predict and deal with securitySaid Gallagher.
Powerful security solutions, h education employees and constant vigilance are necessary to deal with such attacks.
Source: Bleeping Computer