Recent Ransomware Attacks Utilize Advanced Version of SystemBC as Tor Backdoor
Investigations by researchers into recent ransomware attacks have noted an increase use of the backdoor malware, SystemBC. First seen in 2019, SystemBC is a proxy and remote administrative tool named after the string in the URI its control panel used. It acts as both as a network proxy for concealed communications and as a remote administrative tool (RAT) capable of executing Windows commands, and delivering and executing scripts, malicious executables and dynamic link libraries (DLLs). After being delivered by other malware, SystemBC provides attackers with a persistent backdoor.
After first being observed, SystemBC has continued to evolve in terms of the way it has been used and the features it offers. For example, the most recent version of SystemBC observed uses the Tor anonymizing network to encrypt and conceal the destination of command and control traffic. Most recently, SystemBC was used in the recent Ryuk and Egregor attacks investigated by Sophos MTR’s Rapid Response team, often used in combination with post-exploitation tools such as Cobalt Strike. In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
In the September Ryuk attack, SystemBC was deployed on the target network’s domain controller, apparently deployed by CobaltStrike, as was the case with the November Egregor attack. In both of these attacks, SystemBC was deployed as one of many tools used to establish persistence with the targeted attack. All these attacks appear to have been launched by affiliates of the ransomware operators, or by the ransomware gangs themselves through multiple malware-as-a-service providers. They involved days or weeks of time on the targets’ networks and data exfiltration. SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials.
Fortunately, SystemBC is detected by many anti-malware tools. Attackers continue to use SystemBC situationally with success because they leverage inconsistent malware protection across organizations or leverage legitimate credentials to disable some malware protection.
Sources: