Monday, May 27, 2024

Hackers use SystemBC Malware to Hide C&C Server Communication by Deploying Proxies on Infected Computer

A new malware dubbed SystemBC delivered by RIG and Fallout exploit kit, sets up a SOCKS5 proxy connection on victims machine to hide the Command and Control center traffic for popular banking malware such as Danabot.

In recent years most of the banking trojans are served through exploit kit, among them, RIG and Fallout are most Fallout and actively used by threat actors.

Proofpoint researchers observed the new proxy malware with multiple Fallout and RIG exploit campaigns that used to deliver Maze ransomware, Danabot banking, and Amadey Loader.


Malware Advertised in Hacking Forums

As the malware spotted in multiple campaigns, Proofpoint researchers checked with the underground marketplace for the existence of the malware. “we found an advertisement from April 2, 2019, on an underground forum that described a malware named “socks5 backconnect system” that matched the functionality of the malware seen in the above campaigns.”

To differentiate from other malware using SOCKS5, the malware is named as SystemBC, the advertisement also details the C&C servers, list of victim machines and authentication.

The SystemBC malware written in C++ and it set’s up tunnel network in the infected machine to hide the traffic associated with other malware. The connection between the Command and Control are encrypted using RC4.

SystemBC Advertised as Below

• loader with update function every N hours (for long survivability it is necessary to update the crypts)
• firewall (access to socks only from trusted ip)
• authorization on socks by login and password
• GeoIP

Proofpoint published a detailed report, that covers the functionality and the detailed analysis report including the Indicators of Compromise.

Administrators are recommended to remain vigilant to keep the Windows client and server’s updated and the infrastructure devices patched and retire legacy systems.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.


Latest articles

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Google Patches Chrome Zero-Day: Type Confusion in V8 JavaScript

Google has released a patch for a zero-day exploit in its Chrome browser.The...

Hackers Created Rogue VMs in Recent MITRE’s Cyber Attack

State-sponsored hackers recently exploited vulnerabilities in MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE).They...

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles