SystemBC malware has been used by hackers at least since 2019, when Proofpoint released a detailed analysis of the trojan and its methods of infection. The malware is sold on underground hacking forums and is touted for its ability to use the SOCKS5 proxy protocol to hide an attacker’s C&C servers. More recently, it has been a documented part of  several ransomware campaigns, lending its services to Ryuk, Maze and Egregor ransomware groups.

There are multiple possible reasons for the popularity of this trojan among ransomware groups. First, the usage of a proxy protocol in a malware might make it easier to use in a late stage of a breach, where network defenses might be tighter and harder to penetrate. Secondly, Sophos has revealed that the malware is well suited for operations with multiple infected devices because of its automated tasks feature, which enables hands-off deployment of the ransomware.

A recent blog post by F-Secure has revealed a new variant of this malware which employs process-hollowing to hide its payload from static analysis. The packer/injector  used by the malware is also obfuscated with a compiler-based technique named control flow flattening, which modifies the normal flow of the program and makes static analysis impossible.

A look of the obfuscation in IDA’s graph:

Considering its active development and how widespread it has become, we assume that SystemBC is here to stay. In other words, we expect to see more cyber criminals employing this malware in their attacks, and along with that enhancing its evasiveness.

Minerva Labs prevents the latest SystemBC variant using our Memory Injection Prevention module:

 

References:

IOCs:

2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580

 

For a full demonstration of Minerva Lab’s award winning ransomware protection platform, contact us using the form below.