SystemBC Malware Increasingly Used as Ransomware Backdoor

May 14, 2021 · 3 min read

A new version of SystemBC malware is increasingly leveraged by ransomware maintainers to pave their way into the targeted environments. Security experts indicate that top ransomware-as-a-service (RaaS) collectives, including DarkSide, Ryuk, and Cuba, leverage SystemBC as a persistent backdoor able to maintain access to the attacked instances and perform a variety of notorious activities.

What is SystemBC?

SystemBC is a multifunctional threat combining proxy and remote access Trojan (RAT) features. Initially discovered in 2019, the malware was predominantly used as a network proxy leveraging the SOCKS5 protocol for hidden communications. However, the threat has evolved in time, now being able to act as a RAT. Particularly, SystemBC can execute Windows commands, deliver nefarious scripts, and execute DLLs alongside second-stage executables.

Notably, the latest samples of SystemBC abandons SOCKS5 proxy in favor of using Tor anonymizing network to encrypt and camouflage the command-and-control (C&C) traffic. Also, in May 2021, security researchers spotted a new “wrapper” that leverages the process hollowing technique to deploy SystemBC to the targeted devices.

Upon infection, the malware serves for lateral movement, being chained with Cobalt Strike to execute password-stealing and discovery operations. Also, hackers frequently use SystemBC to achieve persistence and drop Powershell, .BAT, and .CMD scripts for further exploitation and ransomware delivery.

Ransomware Backdoor

SystemBC has been deployed in multiple ransomware attacks. The Ryuk gang leveraged the threat in phishing attacks alongside Buer loader and Bazar backdoor. Also, Egregor campaigns relied on SystemBC to gain persistence and proceed with ransomware infections. The infamous DarkSide gang, standing behind Colonial Pipeline’s shutdown in May 2021, also relied on SystemBC for infections. Finally, Cuba ransomware maintainers applied this malicious sample in course of their malicious activity.

Security experts summarize that SystemBC gains extreme popularity among ransomware operators due to its ability to covertly connect to C&C server via Tor network and provide adversaries with an additional tool to execute commands and scripts. The malicious sample helps hackers to automate the parts of intrusion and maximize the number of successful intrusions.

SystemBC Detection

To detect SystemBC infection and protect your infrastructure from possible ransomware attacks, you can download a community Sigma rule released in Threat Detection Marketplace by Emir Erdogan, our keen Threat Bounty developer:

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye

EDR: SentinelOne, Microsoft Defender ATP,  CrowdStrike, Carbon Black


Tactics: Credential Access, Defense Evasion

Techniques: Exploitation for Credential Access (T1212), Modify Registry (T1112)

Get a free subscription to Threat Detection Marketplace, an industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection by providing qualified, cross-vendor, and cross-tool SOC content. SOC Prime’s library aggregates over 100K queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks tailored to 23 market-leading SIEM, EDR, and NTDR technologies. Eager to craft your own detection content? Join our Threat Bounty Program and get rewarded for your input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts