SystemBC Historical Bot Infections Special Report
Description
The Shadowserver Foundation released two (2) SystemBC Historical Bot Infections Special Reports in respect of the jurisdiction.
The first SystemBC Historical Bot Infections Special Report released on the 31st May 2024 identify hosts within the jurisdiction reported to have been infected with the SystemBC malware between the period:- 14th Feb 2023 - 28th May 2024.
The second SystemBC Historical Bot Infections Special Report released on the 11th June 2024 identify hosts within the jurisdiction reported to have been infected with the SystemBC malware between the period:- 16th May 2024 - 29th May 2024.
The information contained in the two special reports was provided to the Shadowserver Foundation by the Operation Endgame Law Enforcement partners following Operation Endgame which was carried out between the 27th May 2024 and the 29th May 2024, the operation targeted botnets, such as SystemBC, which play a major role in the deployment of ransomware, and in particular the dropper ecosystem which include droppers such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
Malware 'droppers' and 'loaders' are used to gain access to a victim’s computer, either dropping ransomware or other malicious software used to collect and steal personal and financial login information.
SystemBC Malware as a Service (MaaS) and Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) model.
Ransomware affiliates receive significant payments or dividends for each successful cyberattack, as a consequence, they are motivated to spread the malicious software, rapidly scaling the ransomware operation over a short period of time.
Police services from several countries launched the multinational coordinated cyber operation called Operation Endgame, which was carried out between the 27th May 2024 and the 29th May 2024. The operation which was coordinated by Europol from its headquarters in the Hague, the Netherlands, was led by France, Germany and the Netherlands, and was supported by Eurojust (European Union Agency for Criminal Justice Cooperation) and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of over one hundred (100) servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, DIVD, abuse.ch and Zscaler.
Both Special Reports have a default severity level of 'Critical'.
Problem
The first SystemBC Historical Bot Infections Special Report released by the Shadowserver Foundation on the 31st May 2024 identify hosts within the jurisdiction reported to have been infected with the SystemBC malware between the period:- 14th Feb 2023 - 28th May 2024.
The second SystemBC Historical Bot Infections Special Report released by the Shadowserver Foundation on the 11th June 2024 identify hosts within the jurisdiction reported to have been infected with the SystemBC malware between the period:- 16th May 2024 - 29th May 2024.
The data contained in the two Special Reports was provided to the Shadowserver Foundation by the Operation Endgame Law Enforcement partners with the objective of having the information disseminated to National CERTs/CSIRTs and network owners globally, in order to maximise the remediation efforts.
Shadowserver Foundation - SystemBC Historical Bot Infections Special Report - Tag Index.
Note:
| No. | Tag | Description | Advisory |
|---|---|---|---|
| 1. | systembc. | SystemBC is a multifunctional malware which can be easily adapting by attackers depending on their needs. In 2018, it was reported that the SystemBC platform had been offered for sale on various underground forums as a Malware as a Service (MaaS). The platform was made up of three separate parts, a command and control (C2) web server with an admin panel, a C2 proxy listener and a backdoor payload, for the target. It utilised SOCKS5 proxies to mask network traffic to and from the C2 web server using secure HTTP connections. Cybercriminals regard the SystemBC malware as an attractive tool as it allowed for multiple targets to be worked on simultaneously with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools, providing the attackers have acquired the proper credentials. The latest varient of the SystemBC malware has switched from utilising SOCKS5 proxy to using the Tor network, to encrypt and conceal the destination of C2 traffic. The SystemBC malware has evolved into providing Ransomware as a Service (RaaS) to various cybercriminal groups, it was reported to having been used as part of the attack chain by the DarkSide cybercriminal group in their ransomware attack on the Colonial Pipeline on the 7th May 2021, the largest cyberattack on an oil infrastructure target in the history of the United States. The SystemBC malware backdoor payload for the target is a Remote Administration Tool (RAT), reported to be capable of executing Windows commands, delivering and executing scripts, malicious executables and dynamic link libraries (DLLs), it provides attackers with a persistent backdoor. | Microsoft Security Intelligence - SystemBC |
Recommendations
Response to SystemBC malware.
| No. | Action | Description |
|---|---|---|
| 1. | Full anti-virus scan of infected device. | It is recommended that a full anti-virus scan of the infected device, is performed to ensure the successful removal of the SystemBC malware and of any Remote Administration Tool (RAT) (backdoor payload) inserted by the attackers. The Windows Defender Anti-virus can be used for Windows 10 and Windows 8.1. Microsoft Security Essentials can be used for Windows 7 and Windows Vista. |
| 2. | Monitor Infected Device. | It is recommended that the device reported to having been infected with the SystemBC malware is monitored and continues to be monitored after the SystemBC malware has been successfully removed, for unusual or suspicious activity, to ensure the prevention of reinfection or attempted reinfection of the device. |
| 3. | Credentials. | In the event of the confirmation of a SystemBC malware infection, it is recommended that login account passwords are changed and login accounts are monitored for unusual or suspicious activity. |
| 4. | Firewall. | The Firewall is an optimal policy enforcement point for protection from malware and advanced persistent threats. The service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C2) sites and botnets, preventing data exfiltration. |
| 5. | Access Control Lists. | An Access control list (ACL), contain rules predefined by the Network Administrator that grant or deny access to a system environment. Strict ACLs, should be implemented to control which devices and networks are allowed to access and use the network servers. Networking ACLs manage network access by providing instructions to network switches and routers that specify the types of traffic that are allowed to interface with the network. These ACLs also specify user permissions once inside the network. |
| 6. | Block Outdated & Unused Ports. | On the perimeter firewall, it is recommended that communication from outdated or unused ports, protocols, and applications be blocked. |
| 7. | Ingress Filtering. | Ingress Filtering is implemented as a predefined security rule on the perimeter firewall to ensure that incoming packets are actually from the networks from which they claim to originate from, this is a countermeasure against spoofing attacks. |
| 8. | Egress Filtering. | Egress Filtering is implemented as a predefined security rule on the perimeter firewall to monitor and restrict the flow of outbound packets from one network to another to ensure that unauthorised or malicious traffic never leaves an internal network. |
Additional Information
SystemBC Historical Bot Infections Special ReportWithSecure-Labs - Prelude to Ransomware: SystemBC.
UPGuard - What is Egregor Ransomware? One of the Worst Threats of 2020.
Proofpoint - SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits.
Bitsight Security Research - SystemBC: The Multipurpose Proxy Bot Still Breathes.
vc0RExor - Malware-Threat-Reports - The Swiss Knife-SystemBC_EN.pdf.
Malpedia - https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc.
Walmart Global Tech Blog Jason Reaves - Inside the SystemBC Malware-As-A-Service.
Securelist by Kaspersky - Focus on DroxiDat/SystemBC.
Sophos - Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor.
The Hacker News - SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks.
BlackBerry - Threat Thursday: SystemBC – a RAT in the Pipeline.
SystemBC, a SWISS KNIFE Proxy Malware, Used by Numerous Ransomware Groups.
Kroll - Inside the SystemBC Command-and-Control Server.
Microsoft Security - DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector.
Microsoft Security Intelligence - Trojan:Win32/SystemBC.SB.