New SystemBC proxy malware now being distributed through RIG, Fallout exploit kits, warn researchers

Researchers at cyber security firm Proofpoint have identified a new proxy malware programme, dubbed SystemBC, capable of evading detection by security tools.

They warn that it is now being distributed via the Fallout and RIG exploit kits (EKs), which means that it is likely to be more widely deployed. 

According to Proofpoint, SystemBC is part of a wider campaign that aims to infect systems with various other forms of malware such as Danabot banking trojan.

Security specialists at Proofpoint first noticed SystemBC on 4th June when it was being distributed via Fallout EK.

On 6th June, the researchers observed an increase in Fallout activity, which resulted in the delivery of both SystemBC and Danabot banking trojan.

The threat actors also dropped a PowerEnum PowerShell script, which is commonly used by hackers for device fingerprinting and for exfiltrating stolen data to C2 servers. But, in this case, PowerEnum was observed "instructing the download of Danabot Affid 4 and a proxy malware DLL".

The researchers observed SystemBC malware again in July, this time being delivered by the Amadey Loader, which in turn, was distributed by RIG.

SystemBC malware is written in C++ and uses SOCKS5 to evade detection. The SOCKS5 proxies set up on victim machines by the malware enable its operators to create a tunnel to bypass internet content filters or skirt local firewalls. It also allows hackers to establish a connection to command-and-control (C2) server while hiding the real IP address.

So far, SystemBC has been found mainly in Asia, where high levels of Windows piracy commonly lead to unpatched systems.

Proofpoint researchers also revealed that they spotted SystemBC creators advertising an unnamed malware strain on an underground hacking forum in April, which appeared to be SystemBC. The advertisement also included images of the SystemBC backend.

Researchers also believe that the operators of Maze ransomware and DanaBot banking trojan likely used EKs to infect hosts and then used proxy capabilities of SystemBC to hide malicious traffic.

Proofpoint has advised organisations to regularly update and patch their Windows client and server OS as well as infrastructure devices to protect their systems from malware attacks. Legacy Windows systems susceptible to EKs such as Fallout should also be retired, according to Proofpoint.

EKs are web-based tools that exploit browser vulnerabilities to implant malware on computers. Sometime, they also cause users to be redirected malicious pages that trick users into installing other malware-containing apps.

In 2015, a report by Trustwave suggested that hackers were making 1,425 return on investment from exploit kits and ransomware schemes.

Comments are closed.