According to cybersecurity firm Sophos, some recent ransomware attacks used a set of tools associated with multiple types of ransomware and deployed in much the same way, which suggests that one or more ransomware-as-a-service affiliates are involved. And among those tools is SystemBC, which provides a persistent connection to victims’ systems.
While the SystemBC backdoor is used in combination with other malware to perform exfiltration and lateral movement across multiple targets. The SystemBC capabilities were intended for exploitation, but have now evolved into a toolkit for targeted attacks such as ransomware attack.
SystemBC RAT serving as a Remote control
As malware operators send out a number of payloads back to infected system for execution, SystemBC can parse and execute DLL/EXE data blobs over the Tor connection, including shell code, VBS scripts, batch scripts, Windows commands and PowerShell scripts.
The bot creates randomly named file in the %TEMP% directory and a scheduled task for the script, when it comes to VBS, BAT and CMD commands.
SystemBC checks for an MZ header in the data in order to know if it is a Windows executable, and if it is, then SystemBC loads it directly for execution without having to write a file. But if the data doesn’t have any MZ signature, the malware bot assumes it is shellcode and spawns a thread to execute it.
And once it's determined to be DLL binary data, SystemBC will load it using execute_pe_from_mem_thread and call the export function using call_dll_export_function_thread.
How SystemBC has Evolved since 2019
SystemBC was first documented in August 2019, as a proxy malware that leverages the internet protocol known as SOCKS5 to mask traffic to command-and-control (CnC) servers and downloads a banking Trojan called the DanaBot.
But it has since evolved into a toolset with new capabilities that allow it to use Tor connection to encrypt the destination of its CnC communications, and provide attackers with a persistent backdoor for launching other attacks. And the rise of commodity malware points to a new trend whereby ransomware is provided as a service to affiliates, such as the case of MountLocker, with the operators offering double extortion to affiliates.