To maintain access to compromised networks, hackers use specialized hacking tools. Such tools help the threat actors evade the detection mechanisms and maintain control over the compromised system.
This unauthorized access enables the threat actors to extract sensitive information from the compromised networks’ systems.
Cybersecurity researchers at Kroll recently discovered a malicious “SYSTEMBC” tool that hackers have been exploiting actively.
Streaming Malware Service
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
SYSTEMBC Tool to Maintain Access
Kroll noted a significant surge in the use of the malicious “SYSTEMBC” tool for network access in Q2-Q3 of 2023.
This tool was first seen in 2018, and the SYSTEMBC acts as a SOCKS5 proxy that provides threat actors with persistent access or a backdoor.
Besides this, the SYSTEMBC is used by various threat actors in different campaigns and alongside a multitude of malware families.
Here below, we have mentioned all the malware families:-
- RHYSIDIA
- BLACKBASTA
- CUBA
- GOOTLOADER
- COBALTSTRIKE
- EMOTET
SYSTEMBC can be bought from the dark web as it includes malware, a C2 server, and a PHP admin portal. Kroll CTI explored its C2 server by revealing English and Russian setup instructions.
The C2 app has “server.exe” for Windows and “server.out” for Linux. The focus of the security analysts is on the Linux server.
It opens ports for IPC (usually 4000) and C2 traffic (commonly 443). Active implants have ports ranging from 4001 to 49151.
The configuration details are in the binary, with labeled and padded port strings for easy identification.
Port 49151 suggests the developer’s familiarity with low-level programming like C or Assembly. In hex, it’s 0xBFFF, one less than 0xC000, which indicates an awareness of integer memory allocation.
SYSTEMBC hints at possible Assembly code in the Linux Server binary as it’s in C. The rigid PHP panel script relies heavily on “if” statements, which favor echo over PHP’s nested HTML. The hardcoded port 4000 in the TCP connection setup implies a preferred configuration.
The “secondsToTime” function was borrowed from Stack Overflow, revealing a mix of skills. The use of PHP might be practical since it suggests a focus on functionality over technology preference.
While the control panel is completely crucial for attackers, it features a table with key machine details that highlights the C2 server ports for SOCKS traffic.
Core functionalities of SYSTEMBC:-
- SOCKS5
- Loader functionality
- Module loading
SYSTEMBC poses a significant threat as RHYSIDA ransomware groups often use it to maintain access post-compromise.
In a healthcare case, compromised credentials and a Citrix NetScaler vulnerability allowed SYSTEMBC deployment, enabling threat actors to perform further attacks with tools like Advanced Port Scanner, AnyDesk, and MegaSync.
However, the successful encryption also led to password changes, blocking IT access.
