Analysis Reveals Intricate Tactics of SystemBC Malware’s Command-and-Control Server

Cybersecurity researchers have uncovered crucial insights into the operations of the SystemBC malware’s command-and-control (C2) servers, shedding light on the modus operandi of this well-known malware family. In an analysis released last week, Kroll, a risk and financial advisory solutions provider, detailed the functionality of SystemBC, emphasizing its prevalence in cyber threats throughout Q2 and Q3 2023.

SystemBC, first identified in 2018, is available for purchase on underground markets and is distributed in an archive that includes the implant, a C2 server, and a web administration portal written in PHP. This malware enables threat actors to take control of compromised hosts and deliver various payloads, such as trojans, Cobalt Strike, and ransomware. Notably, it supports the on-the-fly deployment of additional modules to enhance its core functionality.

A distinctive feature of SystemBC lies in its use of SOCKS5 proxies to conceal network traffic to and from its C2 infrastructure, serving as a persistent access mechanism for post-exploitation activities. Customers acquiring SystemBC receive an installation package comprising the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for the C2 panel interface. Instructions in both English and Russian guide users on the installation process and command execution.

The C2 server executables for Windows and Linux open multiple TCP ports to facilitate C2 traffic, inter-process communication (IPC) with the PHP-based panel interface (typically port 4000), and one for each active implant or bot. Additional files record information about the interactions of the implant, acting as a proxy and loader, as well as details regarding victims.

The PHP-based panel is minimalist, displaying a list of active implants and serving as a conduit to run shellcode and arbitrary files on compromised machines. The researchers note that the shellcode functionality extends beyond a reverse shell, offering full remote capabilities injectable into the implant at runtime, providing a less conspicuous alternative to spawning cmd.exe for a reverse shell.

In a related development, the researcher also presented an analysis of an updated version of DarkGate (version 5.2.3), a remote access trojan (RAT). DarkGate allows attackers to fully compromise victim systems, extract sensitive data, and distribute additional malware.

The analysis identified a weakness in DarkGate’s custom Base64 alphabet, making it relatively simple to decode on-disk configurations and keylogging outputs. This revelation provides forensic analysts with the ability to decode configuration and keylogger files without requiring prior knowledge of the hardware ID, exposing keystrokes stolen by DarkGate, including typed passwords and sensitive information.

To defend against threats like SystemBC, organizations should implement robust cybersecurity measures, including advanced threat detection systems and regular security audits. Employee training on recognizing phishing attempts and maintaining a strong incident response plan can enhance overall resilience. Additionally, user should ensuring that security software is up to date and actively monitoring for unusual network activities are key elements in preventing the infiltration of sophisticated malware like SystemBC.