Monday, October 7, 2024
HomeCyber AttackHackers Use SYSTEMBC Tool to Maintain Access to Compromised Network

Hackers Use SYSTEMBC Tool to Maintain Access to Compromised Network

Published on

To maintain access to compromised networks, hackers use specialized hacking tools. Such tools help the threat actors evade the detection mechanisms and maintain control over the compromised system.

This unauthorized access enables the threat actors to extract sensitive information from the compromised networks’ systems.

Cybersecurity researchers at Kroll recently discovered a malicious “SYSTEMBC” tool that hackers have been exploiting actively.

- Advertisement - EHA
Document
Free Trial

Streaming Malware Service

Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.

SYSTEMBC Tool to Maintain Access

Kroll noted a significant surge in the use of the malicious “SYSTEMBC” tool for network access in Q2-Q3 of 2023. 

This tool was first seen in 2018, and the SYSTEMBC acts as a SOCKS5 proxy that provides threat actors with persistent access or a backdoor. 

Besides this, the SYSTEMBC is used by various threat actors in different campaigns and alongside a multitude of malware families.

Here below, we have mentioned all the malware families:-

  • RHYSIDIA
  • BLACKBASTA
  • CUBA
  • GOOTLOADER
  • COBALTSTRIKE
  • EMOTET

SYSTEMBC can be bought from the dark web as it includes malware, a C2 server, and a PHP admin portal. Kroll CTI explored its C2 server by revealing English and Russian setup instructions.

The C2 app has “server.exe” for Windows and “server.out” for Linux. The focus of the security analysts is on the Linux server. 

It opens ports for IPC (usually 4000) and C2 traffic (commonly 443). Active implants have ports ranging from 4001 to 49151.

The configuration details are in the binary, with labeled and padded port strings for easy identification.

Port Settings Within Binary with Visible Padding (Source - Kroll)
Port Settings Within Binary with Visible Padding (Source – Kroll)

Port 49151 suggests the developer’s familiarity with low-level programming like C or Assembly. In hex, it’s 0xBFFF, one less than 0xC000, which indicates an awareness of integer memory allocation. 

SYSTEMBC hints at possible Assembly code in the Linux Server binary as it’s in C. The rigid PHP panel script relies heavily on “if” statements, which favor echo over PHP’s nested HTML. The hardcoded port 4000 in the TCP connection setup implies a preferred configuration. 

The “secondsToTime” function was borrowed from Stack Overflow, revealing a mix of skills. The use of PHP might be practical since it suggests a focus on functionality over technology preference. 

While the control panel is completely crucial for attackers, it features a table with key machine details that highlights the C2 server ports for SOCKS traffic.

SYSTEMBC C2 Panel (Source - Kroll)
SYSTEMBC C2 Panel (Source – Kroll)

Core functionalities of SYSTEMBC:-

  • SOCKS5
  • Loader functionality
  • Module loading

SYSTEMBC poses a significant threat as RHYSIDA ransomware groups often use it to maintain access post-compromise. 

In a healthcare case, compromised credentials and a Citrix NetScaler vulnerability allowed SYSTEMBC deployment, enabling threat actors to perform further attacks with tools like Advanced Port Scanner, AnyDesk, and MegaSync.

However, the successful encryption also led to password changes, blocking IT access.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...