SystemBC (Backdoor) – Malware

Overview

SystemBC is a sophisticated piece of malware known for its role in enabling attackers to establish persistent access to compromised networks. Often used as a backdoor for a variety of malicious activities, it is typically deployed after initial access is achieved through other means, such as phishing, exploitation of vulnerabilities, or by leveraging existing footholds from other malware families like Cobalt Strike. SystemBC is primarily designed to facilitate lateral movement and command-and-control (C2) communication within an infected environment, allowing threat actors to maintain access to systems even after other malware may be detected or removed.

The malware is particularly notorious for its stealthy operations, which include using legitimate tools and techniques to avoid detection by security software. Once deployed, SystemBC can establish a remote command-and-control channel, often through common network protocols or by embedding itself within system processes to evade monitoring. It can also leverage Windows built-in functionalities, such as scheduled tasks and registry modifications, to ensure that it remains persistent and continues to operate undetected.

SystemBC’s deployment often precedes more damaging actions, including data exfiltration, ransomware deployment, and further exploitation of compromised systems. Its modular design allows it to be easily adapted for various attack scenarios, making it a versatile tool in the arsenal of cybercriminals. In many cases, it is used in conjunction with other malicious tools to facilitate larger, more complex attacks, such as those seen in advanced persistent threat (APT) campaigns or high-profile cyberattacks on organizations.

Targets

Information

How they operate

SystemBC is a sophisticated malware primarily used by threat actors for establishing persistent command-and-control (C2) channels, enabling lateral movement within compromised networks, and facilitating additional malicious activities such as data exfiltration and credential theft. The malware operates on a technical level by exploiting legitimate system processes, utilizing obfuscation techniques, and leveraging various Windows mechanisms to evade detection. Typically, SystemBC is involved in delivering secondary payloads, often being part of a larger campaign such as botnet operations, ransomware deployment, or targeted espionage.

Delivery and Initial Execution

SystemBC usually enters a network via phishing campaigns, where malicious attachments or links are used to exploit vulnerabilities in the victim’s system. Upon execution, SystemBC establishes a foothold within the environment and may leverage various built-in command-line utilities or scripting interpreters, such as PowerShell, to launch further malicious actions. In some cases, the malware executes directly through the command-line interface (CLI), bypassing traditional file-based detection mechanisms. By using these techniques, attackers ensure that the malware remains undetected during the early stages of the infection.

Persistence Mechanisms

Once executed, SystemBC aims to establish persistence to ensure that it can maintain access to the infected system over time. It often does this by manipulating system settings such as the Windows registry or using scheduled tasks. By creating or modifying registry keys, SystemBC ensures that it re-executes upon system reboot or user logon. For example, it may add entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, which is a common method for ensuring that a malicious process runs automatically when the system restarts.

Moreover, SystemBC is capable of employing fileless execution techniques, which allow it to operate entirely in memory without leaving behind traditional file-based traces. This makes detection more difficult for antivirus programs that primarily scan for file-based threats. The use of PowerShell or Windows Management Instrumentation (WMI) to execute payloads further enhances SystemBC’s ability to evade security measures. Additionally, it may leverage encrypted payloads, hiding its code from detection algorithms and complicating forensic analysis.

Lateral Movement and Network Propagation

SystemBC’s capabilities extend beyond a single compromised system; it is often used as a tool to facilitate lateral movement within the network. The malware uses a variety of techniques to propagate across other machines, such as leveraging remote services (e.g., Remote Desktop Protocol (RDP), SMB, or WinRM) to infiltrate other systems. By scanning the network for open ports and identifying vulnerable services, SystemBC can move across connected systems and escalate its privileges.

Moreover, SystemBC can be used to dump credentials and exploit misconfigurations in networked environments. It may use tools like Mimikatz or other credential dumping techniques to gain unauthorized access to sensitive resources. These stolen credentials can then be used to move further within the network, making the malware even more effective in establishing control over the environment.

Command and Control Communication

SystemBC relies heavily on its ability to maintain a stable command-and-control (C2) communication channel with the attackers. The malware establishes encrypted C2 connections, often over HTTP/HTTPS, which helps avoid detection by traditional network monitoring solutions. These encrypted communications are used to receive commands from the threat actors, download additional payloads, or exfiltrate data from the infected system.

One of SystemBC’s distinguishing features is its ability to communicate through the Tor network, adding an additional layer of anonymity for both the attacker and the malware itself. This decentralized, anonymous network allows attackers to avoid detection and traceability while maintaining access to the compromised systems. As a result, security professionals face significant challenges in both detecting and mitigating SystemBC infections, as the C2 traffic is designed to blend in with normal network activity, making it difficult to discern malicious from benign traffic.

Evasion and Anti-Forensic Techniques

SystemBC employs various evasion tactics to avoid detection by endpoint security solutions and network monitoring tools. It may utilize encryption and obfuscation to mask its payload, as well as delete logs or alter timestamps to prevent forensic investigators from identifying its presence. It can also engage in “living off the land” techniques, which involve exploiting native system tools such as PowerShell or PsExec to carry out malicious actions while avoiding the need to drop new, easily detectable files.

Additionally, SystemBC may disable security tools and interfere with system recovery processes to ensure that it remains active on infected systems. It can disrupt or delete restore points, rendering the system’s backup and recovery options useless, further entrenching the malware’s foothold in the environment.

MITRE Tactics and Techniques

1. Initial Access (TA0001)

Phishing (T1566): SystemBC is often delivered through phishing emails, typically carrying malicious attachments or links that exploit vulnerabilities in the victim’s system.

2. Execution (TA0002)

Command and Scripting Interpreter (T1059): SystemBC may leverage built-in scripting interpreters like PowerShell or command-line tools to execute its payloads or deliver additional stages of the attack.

3. Persistence (TA0003)

Boot or Logon Autostart Execution (T1547): SystemBC ensures persistence by embedding itself in autostart locations, such as the registry or scheduled tasks, enabling it to run on system reboot or user logon.

Registry Run Keys / Startup Folder (T1547.001): SystemBC can manipulate registry keys to persist on a compromised machine, automatically executing upon system startup.

4. Privilege Escalation (TA0004)

Exploitation for Privilege Escalation (T1068): If SystemBC does not initially have sufficient privileges, it may exploit local vulnerabilities to escalate its privileges to gain higher levels of access to the system.

5. Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): SystemBC uses various obfuscation techniques, including encryption and packing, to evade detection by antivirus and endpoint security solutions.

Fileless Execution (T1053): The malware may leverage fileless techniques, using legitimate system processes to execute and spread without leaving traditional file traces.

Indicator Removal on Host (T1070): SystemBC may delete or alter logs and other indicators of compromise (IoCs) to avoid detection.

6. Credential Access (TA0006)

Credential Dumping (T1003): If necessary, SystemBC may attempt to dump credentials from the system’s memory or local storage, enabling lateral movement within the network or escalating its privileges.

7. Discovery (TA0007)

Network Service Scanning (T1046): SystemBC can scan for active network services and open ports, helping attackers identify additional targets within the network for exploitation.

System Information Discovery (T1082): The malware may gather information about the compromised system, such as system architecture or user details, to aid in further actions.

8. Lateral Movement (TA0008)

Remote File Copy (T1105): SystemBC may transfer additional malicious payloads to other systems within the network, facilitating further infection.

Remote Services (T1021): The malware can use remote access services, such as RDP or SMB, to move laterally across the network to other compromised machines.

9. Collection (TA0009)

Data Staged (T1074): SystemBC can stage exfiltrated data by gathering files or credentials from the compromised system, preparing them for later extraction.

10. Exfiltration (TA0010)

Exfiltration Over Command and Control Channel (T1041): SystemBC often uses its established C2 channel to exfiltrate data, including files, credentials, or system information, back to the attacker.

11. Impact (TA0040)

Data Encrypted for Impact (T1486): In some cases, SystemBC may be part of a broader attack where data is encrypted (typically as part of a ransomware attack) to demand a ransom from the victim.

Inhibit System Recovery (T1490): SystemBC may prevent the recovery of compromised systems, disabling system restore points or backup files.

References:

• BlackSuit Ransomware