SystemBC Malware’s C2 Server Analysis Exposes Payload Delivery Tricks

SystemBC Malware

Cybersecurity researchers have shed light on the command-and-control (C2) server of a well-known malware family called SystemBC.

“SystemBC can be purchased on underground marketplaces and comes in an archive with the implant, a command-and-control (C2) server and a web management portal written in PHP,” says Kroll said in an analysis published last week.

The risk and financial advisory solutions provider said it has witnessed an increase in malware usage in the second and third quarters of 2023.

First observed in the wild in 2018, SystemBC allows threat actors to remotely control a compromised host and deliver additional payloads including Trojans, Cobalt Strike, and ransomware. It also supports directly launching additional modules to extend core functionality.

A notable aspect of the malware revolves around the use of SOCKS5 proxies to mask network traffic to and from the C2 infrastructure, acting as a persistent post-exploitation access mechanism.

Customers who ultimately purchase SystemBC will receive an installation package containing the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for displaying the C2 panel interface, in addition to instructions in English and Russian in which the steps and assignments are described in detail. run.

1706195744 620 SystemBC Malwares C2 Server Analysis Exposes Payload Delivery Tricks

The C2 server executables – “server.exe” for Windows and “server.out” for Linux – are designed to open no fewer than three TCP ports to facilitate C2 traffic, inter-process communication ( IPC) between itself and the PHP-based panel interface (usually port 4000), and one for each active implant (also called bone).

The server component also uses three other files to record information about the implant’s interaction as a proxy and loader, as well as details regarding the victims.

The PHP-based panel, on the other hand, is minimalist in nature and displays a list of active implants at any time. Furthermore, it acts as a channel to execute shellcode and arbitrary files on a victim machine.

“The shellcode functionality is not just limited to a reverse shell, but also has full remote capabilities that can be injected into the implant at runtime, while being less obvious than spawning cmd.exe for a reverse shell” , according to Kroll researchers.

The development comes as the company also shared an analysis of an updated version of DarkGate (version 5.2.3), a remote access Trojan (RAT) that allows attackers to completely compromise victim systems, siphon sensitive data and spread more malware.

“The version of DarkGate that was analyzed shuffles the Base64 alphabet used when the program was initialized,” said security researcher Sean Straw. said. “DarkGate swaps the last character with any character before it, moving from back to front in the alphabet.”

Kroll said it has identified a weakness in this custom Base64 alphabet that makes it trivial to decrypt the on-disk configuration and keylogging output, which are encrypted using the alphabet and stored in an exfiltration folder on the system.

“This analysis allows forensic analysts to decrypt the configuration and keylogger files without first having to determine the hardware ID,” Straw said. “The keylogger output files contain keystrokes stolen by DarkGate, including typed passwords, composed emails, and other sensitive information.”

#SystemBC #Malwares #Server #Analysis #Exposes #Payload #Delivery #Tricks

Notify of
Inline Feedbacks
View all comments
Previous Post
Russian TrickBot Mastermind

Russian TrickBot Mastermind gets 5 years in prison for cybercrime

Next Post
LODEINFO Fileless Malware

LODEINFO Fileless malware evolves with anti-analysis and remote code tricks

Related Posts