Sophos security researchers just released new information regarding the SystemBC tool used in multiple ransomware attacks.
Similar approaches in how the tool is used could mean one or more ransomware-as-a-service affiliates deployed it. SystemBC is a backdoor providing persistent connection to targeted systems.
Evolution of the SystemBC tool
SystemBC, first discovered in 2019, has undergone development. The tool has been used as a proxy and a RAT (remote administrative tool), capable of executing Windows commands. Other capabilities include executing scripts, malicious executable, and DLL files. Once SystemBC is dropped on the system, it permits a backdoor connection to attackers.
The latest samples of the tool reveal it’s been evolving. These samples carry code that uses the Tor network to encrypt and hide the command-and-control traffic destination. The researchers have witnessed “hundreds of attempted SystemBC deployments worldwide.” Ransomware campaigns of Ryuk and Egregor families utilized the tool in combination with post-exploitation tools like Cobalt Strike. “In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network,” Sophos says.
SystemBC’s Tor component
The Tor component in the tool is based on mini-tor, an open-source library for lightweight connectivity to Tor’s network.
The code of mini-Tor isn’t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions, the report reveals.
Other malicious capabilities
Once executed from a scheduled task, the bot collects specific system information, stores it in a buffer, and sends it to the command-and-control server via Tor. The collected information includes the following:
- Active Windows user name
- Windows build number for the infected system
- A WOW process check (to determine whether the system is 32-bit or 64-bit)
- Volume serial number.
Furthermore, the bot operators can deploy the command-and-control server to send various payloads back to the infected system for execution. “SystemBC can parse and execute EXE or DLL data blobs passed over the Tor connection, shell code, VBS scripts, Windows commands and batch scripts, and PowerShell scripts,” Sophos warns.
What do SystemBC’s capabilities mean for ransomware attacks?
Overall, the broad specter of the tool’s capabilities allows attacks to perform discovery, exfiltration, and lateral movement remotely with the help of packaged scripts and executables. The researchers say that “these capabilities were originally intended for mass exploitation, but they have now been folded into the toolkit for targeted attacks—including ransomware.”
Fortunately, SystemBC can be detected by many anti-malware tools. However, threat actors continue to use the tool successfully because they use “inconsistent malware protection across organizations or leverage legitimate credentials to disable malware protection.”
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: