Cybersecurity researchers have delved into the intricacies of the SystemBC malware’s command-and-control (C2) server, unveiling its sophisticated tactics. This malware, observed in the wild since 2018, allows threat actors to remotely control compromised hosts and deliver various payloads, such as trojans, Cobalt Strike, and ransomware. A distinctive feature of SystemBC is its utilization of SOCKS5 proxies to mask network traffic, ensuring persistent access for post-exploitation activities.
Kroll, a risk and financial advisory solutions provider, highlights the surge in malware usage throughout Q2 and Q3 of 2023. Customers acquiring SystemBC on underground marketplaces receive an installation package comprising the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for the C2 panel interface. The C2 server executes files designed to open multiple TCP ports, facilitating C2 traffic and inter-process communication, while the PHP-based panel acts as a conduit for running shellcode and arbitrary files on compromised systems.
According to Kroll researchers, the PHP-based panel, though minimalist, provides a list of active implants and enables the execution of shellcode with full remote capabilities, making it less conspicuous than traditional reverse shell methods. This analysis sheds light on the evolving sophistication of malware, emphasizing the need for robust cybersecurity measures.
