Wednesday, March 26, 2025
HomeCyber AttackHackers Use SYSTEMBC Tool to Maintain Access to Compromised Network

Hackers Use SYSTEMBC Tool to Maintain Access to Compromised Network

Published on

SIEM as a Service

Follow Us on Google News

To maintain access to compromised networks, hackers use specialized hacking tools. Such tools help the threat actors evade the detection mechanisms and maintain control over the compromised system.

This unauthorized access enables the threat actors to extract sensitive information from the compromised networks’ systems.

Cybersecurity researchers at Kroll recently discovered a malicious “SYSTEMBC” tool that hackers have been exploiting actively.

Document
Free Trial

Streaming Malware Service

Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.

SYSTEMBC Tool to Maintain Access

Kroll noted a significant surge in the use of the malicious “SYSTEMBC” tool for network access in Q2-Q3 of 2023. 

This tool was first seen in 2018, and the SYSTEMBC acts as a SOCKS5 proxy that provides threat actors with persistent access or a backdoor. 

Besides this, the SYSTEMBC is used by various threat actors in different campaigns and alongside a multitude of malware families.

Here below, we have mentioned all the malware families:-

  • RHYSIDIA
  • BLACKBASTA
  • CUBA
  • GOOTLOADER
  • COBALTSTRIKE
  • EMOTET

SYSTEMBC can be bought from the dark web as it includes malware, a C2 server, and a PHP admin portal. Kroll CTI explored its C2 server by revealing English and Russian setup instructions.

The C2 app has “server.exe” for Windows and “server.out” for Linux. The focus of the security analysts is on the Linux server. 

It opens ports for IPC (usually 4000) and C2 traffic (commonly 443). Active implants have ports ranging from 4001 to 49151.

The configuration details are in the binary, with labeled and padded port strings for easy identification.

Port Settings Within Binary with Visible Padding (Source - Kroll)
Port Settings Within Binary with Visible Padding (Source – Kroll)

Port 49151 suggests the developer’s familiarity with low-level programming like C or Assembly. In hex, it’s 0xBFFF, one less than 0xC000, which indicates an awareness of integer memory allocation. 

SYSTEMBC hints at possible Assembly code in the Linux Server binary as it’s in C. The rigid PHP panel script relies heavily on “if” statements, which favor echo over PHP’s nested HTML. The hardcoded port 4000 in the TCP connection setup implies a preferred configuration. 

The “secondsToTime” function was borrowed from Stack Overflow, revealing a mix of skills. The use of PHP might be practical since it suggests a focus on functionality over technology preference. 

While the control panel is completely crucial for attackers, it features a table with key machine details that highlights the C2 server ports for SOCKS traffic.

SYSTEMBC C2 Panel (Source - Kroll)
SYSTEMBC C2 Panel (Source – Kroll)

Core functionalities of SYSTEMBC:-

  • SOCKS5
  • Loader functionality
  • Module loading

SYSTEMBC poses a significant threat as RHYSIDA ransomware groups often use it to maintain access post-compromise. 

In a healthcare case, compromised credentials and a Citrix NetScaler vulnerability allowed SYSTEMBC deployment, enabling threat actors to perform further attacks with tools like Advanced Port Scanner, AnyDesk, and MegaSync.

However, the successful encryption also led to password changes, blocking IT access.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Google Chrome Zero-Day Vulnerability Actively Exploited in the Wild

Google has released an urgent update for its Chrome browser to patch a zero-day...

CISA Highlights Four ICS Flaws Being Actively Exploited

The Cybersecurity and Infrastructure Security Agency (CISA) released four significant Industrial Control Systems (ICS)...

New Windows Zero-Day Vulnerability Exposes NTLM Credentials – Unofficial Patch Available

A new zero-day vulnerability has been discovered in Windows, impacting all versions from Windows...

Cybercriminals Bypass Security Using Legitimate Tools & Browser Extensions to Deliver Malware

In the second half of 2024, cybercriminals have increasingly leveraged legitimate Microsoft tools and...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Google Chrome Zero-Day Vulnerability Actively Exploited in the Wild

Google has released an urgent update for its Chrome browser to patch a zero-day...

CISA Highlights Four ICS Flaws Being Actively Exploited

The Cybersecurity and Infrastructure Security Agency (CISA) released four significant Industrial Control Systems (ICS)...

New Windows Zero-Day Vulnerability Exposes NTLM Credentials – Unofficial Patch Available

A new zero-day vulnerability has been discovered in Windows, impacting all versions from Windows...