loader gif

New SystemBC malware uses SOCKS5 proxies and exploit kits for distribution

New SystemBC malware uses SOCKS5 proxies and exploit kits for distribution
  • Researchers found that the malware was delivered through separate campaigns involving the use of Fallout EK, Danabot trojan, and RIG EK.
  • The malware was also sold in an underground marketplace as “socks5 backconnect system.”

A new malware inflicting Windows systems has been documented by security researchers. Dubbed as ‘SystemBC’ by researchers from Proofpoint, the malware was spotted in May this year and was found to be delivered through attack campaigns associated with Fallout Exploit Kit, Danabot trojan and the RIG Exploit Kit. Furthermore, the malware is also believed to have connections with Brushaloader and related malware.

The big picture

  • According to Proofpoint researchers, SystemBC makes use of SOCKS5 proxies to mask network traffic of its C2 server through HTTPS connections. It is mainly written in C++.
  • The malware is reportedly sold in an underground marketplace with the name “socks5 backconnect system”.
  • It uses the standard RC4 encryption in its C2 server communications. The researchers analyzed a communication packet and found four pieces of information. It included a plaintext RC4 key, Windows build ID, an account name in the device, and a Boolean for checking if the machine is an x64-based processor.
  • SystemBC was first detected in May. Subsequent campaigns delivering the malware were identified in June and July 2019.

Why it matters?

In a blog detailing various properties of the malware, Proofpoint researchers suggest that proxy malware such as SystemBC are a challenge for mitigation.

“The synergy between SystemBC as a malicious proxy and mainstream malware creates new challenges for defenders relying on network edge detections to intercept and mitigate threats like banking Trojans,” wrote the researchers.

loader gif