SystemBC (aka Coroxy or DroxiDat) is a multifunctional malware known as Proxy, Bot, Backdoor, and RAT, adapting to attackers’ needs.
Since 2018, this multifunctional malware has been active, and it remains popular in underground markets, with consistent annual incidents.
Cybersecurity researcher, REXor (aka Aaron) recently discovered that several ransomware groups are employing SystemBC, a Swiss Knife proxy malware, for their illicit purposes.
Here below, we have mentioned all the ransomware groups that are involved in using this malware:-
Coroxy infiltrates systems using diverse methods tailored to the user group, employing:-
It’s also utilized in Spear Phishing campaigns, delivered via loaders or other malware for installation on victim systems.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
SystemBC malware adapts its methods but maintains core tasks:-
Gather system info –> Establish persistence –> Create a Socks5 connection to the C&C server –> Transmit data –> Await attacker commands or malware launches
This backdoor enables attackers to operate from their infrastructure, and over time, numerous groups have used SystemBC.
SystemBC usage varies with each attacker’s access to the infrastructure. Studied samples show diverse executions yet share consistent core functions.
Usually, when an executable is run, a duplicate copy of SystemBC is made and persistence is established via tasks or registry entries.
Some samples may use a packer or need deobfuscation/extraction without a loader or malware.
Extracting from memory may be required, revealing identical copies in a temporary folder indicating malware duplication with dynamic filenames.
Coroxy employs a Mutex control in all examined samples that prevents multiple runs. It may generate a random string or deobfuscate a domain as a Mutex, adding complexity.
Samples establish persistence differently, as some create jobs or registry entries, often using PowerShell to execute SystemBC.
In certain versions, SystemBC launches a duplicate in the following paths:-
SystemBC detects a2guard, a handy anti-analysis move to spot antivirus or disruptive software. It captures process snapshots, using ProcessFirst and ProcessNext to hunt for the binary.
This grants persistence, process control, and info gathering, with deobfuscation and decryption for future network connections.
After pinpointing the connection location, SystemBC establishes it through a loop, usually targeting a known server and port, reads the report.
Though versions may differ slightly, the core behavior remains the same. However, the analyst found a focus on Coroxy’s relevance, with active discussions and inquiries in forums.
Besides this, the identified infrastructure allows OS access for around $350 to $300, payable through active cryptocurrency wallets.
Hash:
Domain:
IP (High confidence):
IP (Mid-Low confidence):
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…