Cyber Security News

Hackers Use SYSTEMBC Tool to Maintain Access to Compromised Network

To maintain access to compromised networks, hackers use specialized hacking tools. Such tools help the threat actors evade the detection mechanisms and maintain control over the compromised system.

This unauthorized access enables the threat actors to extract sensitive information from the compromised networks’ systems.

Cybersecurity researchers at Kroll recently discovered a malicious “SYSTEMBC” tool that hackers have been exploiting actively.

Free Trial

Streaming Malware Service

Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.

SYSTEMBC Tool to Maintain Access

Kroll noted a significant surge in the use of the malicious “SYSTEMBC” tool for network access in Q2-Q3 of 2023. 

This tool was first seen in 2018, and the SYSTEMBC acts as a SOCKS5 proxy that provides threat actors with persistent access or a backdoor. 

Besides this, the SYSTEMBC is used by various threat actors in different campaigns and alongside a multitude of malware families.

Here below, we have mentioned all the malware families:-

  • CUBA

SYSTEMBC can be bought from the dark web as it includes malware, a C2 server, and a PHP admin portal. Kroll CTI explored its C2 server by revealing English and Russian setup instructions.

The C2 app has “server.exe” for Windows and “server.out” for Linux. The focus of the security analysts is on the Linux server. 

It opens ports for IPC (usually 4000) and C2 traffic (commonly 443). Active implants have ports ranging from 4001 to 49151.

The configuration details are in the binary, with labeled and padded port strings for easy identification.

Port Settings Within Binary with Visible Padding (Source – Kroll)

Port 49151 suggests the developer’s familiarity with low-level programming like C or Assembly. In hex, it’s 0xBFFF, one less than 0xC000, which indicates an awareness of integer memory allocation. 

SYSTEMBC hints at possible Assembly code in the Linux Server binary as it’s in C. The rigid PHP panel script relies heavily on “if” statements, which favor echo over PHP’s nested HTML. The hardcoded port 4000 in the TCP connection setup implies a preferred configuration. 

The “secondsToTime” function was borrowed from Stack Overflow, revealing a mix of skills. The use of PHP might be practical since it suggests a focus on functionality over technology preference. 

While the control panel is completely crucial for attackers, it features a table with key machine details that highlights the C2 server ports for SOCKS traffic.

SYSTEMBC C2 Panel (Source – Kroll)

Core functionalities of SYSTEMBC:-

  • SOCKS5
  • Loader functionality
  • Module loading

SYSTEMBC poses a significant threat as RHYSIDA ransomware groups often use it to maintain access post-compromise. 

In a healthcare case, compromised credentials and a Citrix NetScaler vulnerability allowed SYSTEMBC deployment, enabling threat actors to perform further attacks with tools like Advanced Port Scanner, AnyDesk, and MegaSync.

However, the successful encryption also led to password changes, blocking IT access.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt…

1 day ago

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a threat actor to read sensitive files…

1 day ago

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes. Resecurity researchers have recently revealed that…

1 day ago

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million Ecuadorian citizens. The announcement was made…

1 day ago

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery efforts following a recent cybersecurity breach.…

1 day ago

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon…

1 day ago