ransomware attack

Ransomware attackers who used SystemBC malware with RAT and Tor agents


Cybercriminals are increasingly outsourcing the use of commodity malware and attack to deploy ransomware to branch offices, according to new research.

In a new analysis released today by Sophos and shared with News, the latest deployment of Ryuk and Egregor ransomware involves using SystemBC backdoors to move horizontally between networks and acquire additional payloads for further utilization.

Members are usually threat participants who are responsible for gaining an initial foothold in the target network.


“SystemBC is a regular part of the recent ransomware attacker toolkit,” said Sean Gallagher, senior threat researcher at Sophos and a former national security editor at Ars Technica. “

“Backdoors can be used in conjunction with other scripts and malware to automate discovery, penetration, and lateral movement across multiple targets. Originally intended for large-scale utilization, these SystemBC features have now collapsed into targeted toolkits for attacks – including ransomware. “

SystemBC, first documented by Proofpoint in August 2019, is a proxy malware that uses the SOCKS5 Internet Protocol to mask traffic from command and control (C2) servers and download DanaBot Bank Trojans.

SystemBC malware
Since then, SystemBC RAT has expanded the scope of its set and added new features that allow it to encrypt and hide the destination of C2 traffic using a connection, providing an attacker with a durable backdoor to launch other attacks.

The researchers note that SystemBC has been used in a variety of ransomware attacks,usually in conjunction with other exploited development tools such as CobaltStrike, to leverage its proxy and remote access capabilities to resolve and execute malicious Shell commands, VBS scripts, and other DLLs sent over anonymous connections.

It appears that SystemBC was only one of many commodity tools deployed, an initial consequence of phishing emails that sent malware loaders such as Buer Loader, Zloader, and Qbot, leading researchers to suspect that the attack may have been launched by a branch of a ransomware operator or bundled by ransomware through multiple malware, the service provider itself.

“These features provide an out-of-the-market capability for attackers to perform discovery, penetration, and lateral movement using packaged scripts and executable files without having to move the keyboard,” the researchers said. “

The rise of commodity malware also points to a new trend in which ransomware is available to members, such as MountLocker, which operators offer to members double ransomware in order to distribute it with minimal effort.

“Using multiple tools in ransomware-as-a-service attacks creates an increasingly diverse set of attack profiles that are more difficult for IT security teams to predict and respond to,” Gallagher said. “In-depth defense, employee training, and human-based threat search are critical to detecting and preventing such attacks.”